ClawHub

Zenodo Skill

v1.0.0

Use whenever the user mentions Zenodo, depositing or publishing research artifacts (datasets, software, papers, posters) to Zenodo, minting a DOI for a datas...

0· 48·0 current·0 all-time
byAgents365.ai@agents365-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchasesRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (depositing, publishing, versioning, searching on Zenodo) align with the declared requirements: curl and a ZENODO_TOKEN. The files and examples exclusively target the Zenodo API and related local files (metadata.json, ./data/*), which are expected for this functionality.
Instruction Scope
SKILL.md and example scripts limit actions to Zenodo API calls (create deposition, upload via bucket, PUT metadata, publish, search). It reads local files to upload and reads $ZENODO_TOKEN/$ZENODO_BASE; it does not instruct reading unrelated system files or sending data to non-Zenodo endpoints. It explicitly warns to avoid inlining tokens and to confirm irreversible production publishes.
Install Mechanism
No install spec and no code files to write or execute. Instruction-only skills are lower-risk because nothing is downloaded or installed by the skill itself.
Credentials
Only one required environment variable (ZENODO_TOKEN) is declared and used; this is necessary for authenticated Zenodo operations. Optional ZENODO_BASE is reasonable for sandbox vs production. No unrelated credentials or system config paths are requested.
Persistence & Privilege
always:false (no forced inclusion). The agent policy file allows implicit invocation (allow_implicit_invocation:true) and model invocation is enabled by default — this is normal for skills, but remember that if the agent has access to a valid ZENODO_TOKEN it can perform authenticated actions programmatically. The skill mitigates risk by recommending sandbox-first and requiring explicit confirmation before irreversible production publish.
Assessment
This skill appears coherent and limited to the Zenodo API, but before installing: 1) Only provide a Zenodo token with the minimum required scopes (deposit:write and deposit:actions); use a sandbox token for testing. 2) Do not paste tokens into chat or inline them into commands shown to others; store them in your environment. 3) Be aware that if the agent can invoke the skill and the token is available, it can create/publish deposits — prefer sandbox unless you explicitly confirm production publishes. 4) Because this is an instruction-only skill from an external GitHub repo, review the repository yourself (or the SKILL.md/README contents, which are included) and only install from a source you trust. 5) Rotate/revoke the token if you stop using the skill or suspect misuse.

Like a lobster shell, security has layers — review code before you run it.

latestvk971b0cdejp1j2bgebzcjhe0td84cs6r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📦 Clawdis
OSmacOS · Linux · Windows
Binscurl
EnvZENODO_TOKEN

Comments