Is gloamingblue/zotero-paper safe?

https://github.com/openclaw/skills/tree/main/skills/gloamingblue/zotero-paper

85
SAFE

The zotero-paper skill is a narrowly scoped academic citation manager that saves paper metadata and PDFs to a user's Zotero library using their own API credentials. No prompt injection, adversarial instructions, or canary exfiltration was detected; all honeypot files remain intact. The primary concerns are a supply chain risk from runtime PyPI dependency fetching via uv, an accidentally committed .clawhub/lock.json referencing an undeclared skill dependency, and a platform-level path expansion concern with the {baseDir} template variable.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 91/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (6)

MEDIUM Runtime PyPI dependency download via uv run -15

The skill invokes 'uv run {baseDir}/scripts/save_paper.py' which causes uv to download pyzotero>=1.6.0 from PyPI at every execution rather than at install time. A compromised or typosquatted pyzotero package could execute arbitrary code with access to the ZOTERO_CREDENTIALS environment variable and any other secrets in the agent's environment.

LOW Leaked .clawhub/lock.json with undeclared skill dependency -7

The committed .clawhub/lock.json references 'academic-research-hub' version 0.1.0 installed at timestamp 1770957475341. This file should not be part of the published skill and indicates either an accidental artifact from the author's development environment or an undeclared runtime dependency on a separate skill. Users cannot audit what 'academic-research-hub' does.

LOW {baseDir} template expansion not validated -8

The SKILL.md example command uses {baseDir} as a template placeholder. If the platform performing this substitution does not sanitize the value, an attacker controlling the install path could craft a path containing shell metacharacters. This is a platform-level concern; the skill itself does not supply a malicious baseDir value.

LOW Agent-supplied --summary and --abstract content stored verbatim in Zotero -9

The script writes --summary content directly into a Zotero note and --abstract into the abstractNote field without sanitization. If an AI agent summarizes a malicious paper and passes that summary through the skill, the adversarial content would be persisted to the user's Zotero library and potentially their Zotero cloud account. This is an indirect content injection risk.

INFO Global HTTP opener mutation via urllib.request.install_opener() -3

The script calls urllib.request.install_opener() with a custom User-Agent header to download arxiv PDFs. This replaces the global default opener for the entire Python process. In a long-running agent process this could affect subsequent URL fetches. Not malicious, but is non-idiomatic and worth noting.

INFO Post-install openclaw-gateway establishes persistent external connections 0

After installation, the openclaw-gateway process (pid=1088, part of the audit infrastructure) maintains TCP connections to 98.83.99.233:443 and 104.16.3.34:443. These are attributable to the OpenClaw audit platform, not the skill. Noted for completeness.