A privacy-first, local-first search assistant and MCP server for your Zotero library, enabling AI agents to search and analyze your research papers securely.
Security Analysis
medium confidenceThe skill's instructions and requirements are internally consistent with its stated purpose (a local Zotero search/indexing assistant), but it is instruction-only and tells the user to install and run an external npm package and a background service, so you should vet that package and the service before installing.
The name and description (local, privacy-first Zotero search/indexing) match the SKILL.md instructions: initialize by pointing at the Zotero storage, run pz search, and stop the background service. No unrelated credentials or binaries are requested.
Instructions focus on indexing local Zotero storage and running pz CLI commands (pz init, pz search, pz stop). However, the doc refers to running a background indexing/service (an 'MCP server') without describing whether it opens network ports, what it exposes, or what data (if any) it transmits externally. That omission is notable because a background server could expose local data unexpectedly.
There is no platform install spec; SKILL.md instructs the user to run npm install papersgpt-for-zotero. Installing an npm package is a reasonable route for a CLI tool, but npm packages can execute arbitrary code (postinstall scripts, background processes). The skill references a GitHub repo URL which is a known host, but the registry metadata lists the source as unknown and has no homepage in the registry — you should verify the package source and contents before running it.
The skill requests no environment variables, credentials, or config paths beyond the Zotero storage directory (which the user supplies). There are no unexplained secret or cloud credential requests.
The skill does not request 'always: true' or autonomous platform privileges. It does instruct the user to start a background indexing service (pz init) that persists outside the agent's process — this is reasonable for a local search server but may create long-lived processes and potential network exposure; the SKILL.md does not describe how that persistence is managed or secured.
Guidance
This skill appears to do what it says (index and search your local Zotero storage), but it is instruction-only and tells you to install an external npm package and run a background service. Before installing or running it: 1) inspect the npm package and its GitHub repo (check the maintainer, recent commits, issues, and package.json scripts) to ensure there are no unexpected postinstall or remote-exfiltration behaviors; 2) run it in a contained environment (VM or container) first if you are unsure; 3) verify what network ports the background service opens and avoid exposing it to the public internet; 4) backup sensitive Zotero data before indexing; and 5) prefer installing packages from a verified source or official project page rather than unknown registry metadata. If you can provide the npm package name/version or the GitHub repo content, I can re-evaluate with higher confidence.
Latest Release
v1.0.1
- Added a link to the GitHub repository for more information in the Installation section. - No functional or behavioral changes to the skill itself.
Popular Skills
Published by @papersgpt on ClawHub
