Critical-risk tools in Zotero
3 of the 22 tools in Zotero are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at critical risk
-
clear_attachment_cacheDestructiveClear cached attachment files to free disk space. - Provide itemKey to clear cache for a specific attachment - Omit itemKey to clear all cached attachments
-
delete_collectionDestructiveDelete a collection from the library. Items in the collection are NOT deleted - they remain in the library. Sub-collections are also deleted.
-
delete_itemDestructiveMove an item to trash (does not permanently delete). The item can be restored from trash in the Zotero client. To permanently delete, user must empty trash in Zotero.
Attacks that target this class
Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.