Trust Assessment
zotero-cli received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 16 findings: 7 critical, 1 high, 8 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Arbitrary command execution, Python file could not be statically analyzed.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings16
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/killgfat/zotero-cli/scripts/README.md:428 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/killgfat/zotero-cli/scripts/README.md:461 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/killgfat/zotero-cli/scripts/README.md:462 | |
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/killgfat/zotero-cli/scripts/setup_and_check.sh:218 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/killgfat/zotero-cli/scripts/export_citations.py:23 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/killgfat/zotero-cli/scripts/quick_search.py:23 | |
| CRITICAL | Command Injection via unsanitized --date argument The `scripts/backup_restore.sh` script is vulnerable to command injection. The `restore_backup` function takes a `backup_date` argument directly from user input (`--date <value>`). This variable is then used within double-quoted strings in shell commands (e.g., `cp "$BACKUP_DIR/config_$backup_date.ini" "$CONFIG_FILE"`). However, shell command substitution (`$(command)`) is expanded even within double quotes. An attacker can inject arbitrary commands by providing a crafted `--date` value, such as `--date "$(malicious_command)"`, leading to arbitrary code execution on the host system. Sanitize the `RESTORE_DATE` variable before using it in file paths, or validate its format strictly. A robust solution would be to use `printf %q` to properly quote the variable for shell use, or to strictly validate that the input matches the expected date format and contains no special characters. | LLM | scripts/backup_restore.sh:249 | |
| HIGH | Structured Output Injection (BibTeX/RIS) from unsanitized Zotero data The `scripts/export_citations.py` script retrieves item titles and authors from `zotcli` output and directly embeds them into BibTeX and RIS formatted strings without proper escaping for these specific formats. If a user's Zotero library contains entries with maliciously crafted titles or authors (e.g., containing BibTeX commands like `\write18{...}` or RIS tags that could manipulate a parser), this script will output them directly. This could lead to prompt injection if the output is fed to an LLM, or command injection if the BibTeX is compiled by a LaTeX processor with shell-escape enabled, or other forms of data manipulation/exfiltration when processed by downstream tools. Implement robust escaping for BibTeX and RIS formats. For BibTeX, escape characters like `{`, `}`, `\`, `%`, `~`, etc. For RIS, ensure that newlines or specific tag delimiters within the data cannot introduce new RIS fields or break out of existing ones. Consider using a dedicated library for BibTeX/RIS generation that handles escaping automatically. | LLM | scripts/export_citations.py:90 | |
| MEDIUM | Python file could not be statically analyzed SyntaxError: invalid syntax (line 74) | Static | skills/killgfat/zotero-cli/scripts/export_citations.py:74 | |
| MEDIUM | Python file could not be statically analyzed SyntaxError: unterminated string literal (detected at line 134) (line 134) | Static | skills/killgfat/zotero-cli/scripts/quick_search.py:134 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/killgfat/zotero-cli/SKILL.md:33 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/killgfat/zotero-cli/scripts/backup_restore.sh:16 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/killgfat/zotero-cli/scripts/setup_and_check.sh:190 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/killgfat/zotero-cli/scripts/setup_and_check.sh:218 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/killgfat/zotero-cli/scripts/update_check.sh:315 | |
| MEDIUM | Structured Output Injection (Markdown) from unsanitized Zotero data The `scripts/quick_search.py` script retrieves item titles and authors from `zotcli` output and embeds them into Markdown tables. While it attempts to escape pipe characters (`|`), it does not escape other Markdown control characters (e.g., `[`, `]`, `(`, `)`, `<`, `>`). If a user's Zotero library contains entries with maliciously crafted titles or authors (e.g., `[Click me](javascript:alert(1))`), this script will output them directly. If the generated Markdown is subsequently rendered in a vulnerable Markdown viewer (e.g., a web application), this could lead to Cross-Site Scripting (XSS) or other forms of content manipulation. Implement comprehensive Markdown escaping for all potentially dangerous characters, not just pipe characters. This includes characters used for links, images, bold/italic formatting, and HTML tags. A more robust solution would be to use a Markdown sanitization library if the output is intended for display in a web context. | LLM | scripts/quick_search.py:109 |
Scan History
Embed Code
[](https://skillshield.io/report/f0d45a01ff48514f)
Powered by SkillShield