Upgrade StorageAGPL & security concerns: zotero-reference/gpt/style plugins ship obfuscated code not matching repos
Summary
- Multiple releases of the zotero-reference, zotero-style, and zotero-gpt plugins appear to ship XPIs whose main logic files are heavily obfuscated and don’t correspond to the code currently in their GitHub repos.
- Many releases are tagged to old commits, suggesting the release assets weren’t built from the visible sources.
- If the projects are AGPL-3.0 as claimed, the "Corresponding Source" for the distributed XPIs should be published. I can’t find it.
- Given Zotero extensions have unrestricted access to the machine, this reduces auditability and trust.
Details
- zotero-reference (https://github.com/MuiseDestiny/zotero-reference):
1. These repositories claim AGPL 3.0 licensing (https://github.com/MuiseDestiny/zotero-reference/blob/bootstrap/LICENSE, https://github.com/MuiseDestiny/zotero-gpt/blob/bootstrap/LICENSE, https://github.com/MuiseDestiny/zotero-style/blob/master/LICENSE). However, the distributed code doesn't correspond to the repository contents, which appears to constitute a licence violation. AGPL-3.0 Section 6 requires "Corresponding Source." Distributing obfuscated code without the modular source code used for building it appears to breach the licence.
2. I wonder if this violates Zotero's own AGPLv3 licence as, for example, the zotero-reference repository appears to include Zotero code (e.g., bootstrap.js: https://github.com/MuiseDestiny/zotero-reference/blob/bootstrap/build/addon/bootstrap.js).
Likewise, I am not sure if this violates the zotero-plugin-template licence, also AGPLv3: zotero-reference (along with -gpt and -style) are "generated from MuiseDestiny/zotero-addon-template", which itself (https://github.com/MuiseDestiny/zotero-addon-template) derives from https://github.com/windingwind/zotero-plugin-template.
3. Security concerns: Obfuscation plus bundled crypto makes auditing difficult, and this is code with wide privileges. In addition, users might use API keys (OpenAI, Semantic Scholar): without transparent sources, users can’t verify how keys and data are handled.
Prior context
- August 2024 thread about zotero-style (https://forums.zotero.org/discussion/116651/zotero-7-style-plugin-detected-as-unsafe-and-cannot-be-installed) where a user reported it was disabled for security/stability; Dan Stillman replied that the user was attempting to install a very old version that broke Zotero and suggested installing the current release; another user (tim820) explained how to find the Zotero-7-compatible version, which resolved the issue.
- March 2022: A user asked about how safe extension installation was, Dan Stillman (Mar 2022) replied that "A Zotero extension has full, unrestricted access to your computer. You shouldn’t install it unless you trust the author. That said, most extensions are by known community members. If there’s a specific extension you’re curious about, you can ask about it here." https://forums.zotero.org/discussion/comment/401457/#Comment_401457
That thread continued with discussions of various extensions, including a July 2023 query specifically about zotero-style—one of the plugins I'm now questioning.
Consider the current post a long question.
I understand these are widely-used plugins by a reputable developer, so there may be established community practices or technical explanations that I am overlooking. However, the evidence seems concerning. I'd appreciate input from those more familiar with the ecosystem.
- Multiple releases of the zotero-reference, zotero-style, and zotero-gpt plugins appear to ship XPIs whose main logic files are heavily obfuscated and don’t correspond to the code currently in their GitHub repos.
- Many releases are tagged to old commits, suggesting the release assets weren’t built from the visible sources.
- If the projects are AGPL-3.0 as claimed, the "Corresponding Source" for the distributed XPIs should be published. I can’t find it.
- Given Zotero extensions have unrestricted access to the machine, this reduces auditability and trust.
Details
- zotero-reference (https://github.com/MuiseDestiny/zotero-reference):
- Several releases, including the latest (e.g., 1.6.7 on 2025‑12‑01; 1.6.4 on 2025‑11‑10; 1.6.2 on 2025‑10‑21; 1.5.0 on 2025‑09‑01; 1.4.4 on 2025‑05‑08; 1.4.0 on 2025‑03‑11) are all tied to commit 4a64b65 (2024‑09‑23) which seems to only touch the README.md.
- The current XPI (1.6.7, from 2025-12-01, sha256:ed3c2e49506a6cec28e8c02069d5505ada84e8d6d824dc5203d51f327205baa0) contains an obfuscated zoteroreference.js with a very large single-line block, hexadecimal string tables, array shifting, and anti-debug patterns (function _0x58944b). It includes crypto-js modules such as ripemd160.js and mode-ctr-gladman.js.
- That obfuscated zoteroreference.js file doesn't match https://github.com/MuiseDestiny/zotero-reference/blob/bootstrap/build/addon/chrome/content/scripts/zoteroreference.js in the repo.
- package.json contains an "obfuscate" script.
- Multiple releases, including the last one, point to an older commit (027a2d0 from 2024‑11‑29) which seems to only touch the README.md.
- The current XPI (5.8.3, from 2025-12-30, sha256:29d478789260f66087923c11df268834775fcc12e269a046633732e0572b49a4) contains an obfuscated zoterostyle.js that isn't present in the current repo checkout. Crypto-js code is bundled.
- Several releases (e.g., 2.0.2 on 2025‑06‑26; 1.8.8 on 2025‑03‑11; 1.7.4 on 2025‑02‑19; 1.5.2 on 2024‑11‑19) all point to commit 0d1e00e (2023‑11‑26), which seems to touch only the README.md. The latest release, 2.2.3 (2025‑10‑11), is tied to 9573a9e (2025‑09‑19), which also seems to touch only the README.md.
- The current XPI (2.2.3, from 2025-10-11, sha256:abd91453aeee39cc1436ae69da9900e532535f4edbf2f385c2e555acb78df080) contains an obfuscated zoterogpt.js, again absent from the current repo and also with crypto-js code.
1. These repositories claim AGPL 3.0 licensing (https://github.com/MuiseDestiny/zotero-reference/blob/bootstrap/LICENSE, https://github.com/MuiseDestiny/zotero-gpt/blob/bootstrap/LICENSE, https://github.com/MuiseDestiny/zotero-style/blob/master/LICENSE). However, the distributed code doesn't correspond to the repository contents, which appears to constitute a licence violation. AGPL-3.0 Section 6 requires "Corresponding Source." Distributing obfuscated code without the modular source code used for building it appears to breach the licence.
2. I wonder if this violates Zotero's own AGPLv3 licence as, for example, the zotero-reference repository appears to include Zotero code (e.g., bootstrap.js: https://github.com/MuiseDestiny/zotero-reference/blob/bootstrap/build/addon/bootstrap.js).
Likewise, I am not sure if this violates the zotero-plugin-template licence, also AGPLv3: zotero-reference (along with -gpt and -style) are "generated from MuiseDestiny/zotero-addon-template", which itself (https://github.com/MuiseDestiny/zotero-addon-template) derives from https://github.com/windingwind/zotero-plugin-template.
3. Security concerns: Obfuscation plus bundled crypto makes auditing difficult, and this is code with wide privileges. In addition, users might use API keys (OpenAI, Semantic Scholar): without transparent sources, users can’t verify how keys and data are handled.
Prior context
- August 2024 thread about zotero-style (https://forums.zotero.org/discussion/116651/zotero-7-style-plugin-detected-as-unsafe-and-cannot-be-installed) where a user reported it was disabled for security/stability; Dan Stillman replied that the user was attempting to install a very old version that broke Zotero and suggested installing the current release; another user (tim820) explained how to find the Zotero-7-compatible version, which resolved the issue.
- March 2022: A user asked about how safe extension installation was, Dan Stillman (Mar 2022) replied that "A Zotero extension has full, unrestricted access to your computer. You shouldn’t install it unless you trust the author. That said, most extensions are by known community members. If there’s a specific extension you’re curious about, you can ask about it here." https://forums.zotero.org/discussion/comment/401457/#Comment_401457
That thread continued with discussions of various extensions, including a July 2023 query specifically about zotero-style—one of the plugins I'm now questioning.
Consider the current post a long question.
I understand these are widely-used plugins by a reputable developer, so there may be established community practices or technical explanations that I am overlooking. However, the evidence seems concerning. I'd appreciate input from those more familiar with the ecosystem.
FWIW, I would personally never install a plugin with obfuscated code.
Done. For easier cross-referencing, these are the links to the issues: https://github.com/MuiseDestiny/zotero-gpt/issues/496, https://github.com/MuiseDestiny/zotero-reference/issues/385, https://github.com/MuiseDestiny/zotero-style/issues/1404.
It appears that the release versions, rather than referring to the github repositories, refer to a different repository, https://gitee.com/MuiseDestiny/plugins . That repository, unlike the Github one, is active, but also does not contain source code, just obfuscated XPIs. It does, however, have a different license, a "Commercial Software License Agreement" that is explicitly not open source.
I'm not sure if the plugins are actively malicious (though I too would never use obfuscated-code plugins like this); it looks like the developer meant to close-source them and make them paid extensions. I don't have a good enough translation of the readmes to tell whether that is clear, and I don't know whether the license listed in a repository would be taken to apply to releases for that repository in Github but not in the repository itself. It does seem quite likely that there are AGPL violations involved, and perhaps trademark violations with the zoteroplugin.com domain.
To be completely transparent, the reason for the obfuscated code in the releases is that I have been transitioning the plugin towards a commercialized model (introducing "Pro" features) to sustain its ongoing development and maintenance. The obfuscation was applied strictly to protect the premium feature logic and the license verification mechanism.
I truly believe that sustainable commercialization allows developers to invest the necessary time and resources to deliver higher-quality features. Ultimately, this creates a mutually beneficial relationship where developers can maintain their work, and users receive more powerful, reliable tools.
I want to state unequivocally that there is absolutely no malicious code or intent here. There is no incentive for me to compromise the data or security of the users who rely on my tools. The network API requests you might have observed are used solely for verifying Pro user licenses. Additionally, the specific domain that was pointed out is currently being phased out and will soon no longer be in use.
However, I now fully realize that mixing obfuscated, closed-source logic within an AGPL ecosystem is a mistake. It breaks the verifiable trust that researchers require and goes against the spirit of the open-source community. I apologize for this oversight.
I would like to ask the community and core developers for advice:
I am currently facing a developer's dilemma. How can I sustainably monetize a Zotero plugin (to justify the extensive time spent on development) while fully respecting Zotero's AGPL license and the community's need for 100% transparent, verifiable code?
Are there recommended best practices or patterns for this in the Zotero ecosystem?
Thank you again for keeping the ecosystem safe and for any advice you can provide.