WoS Zotero Literature Hunter
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its literature-import purpose, but it asks for high-privilege Zotero credentials, including notes access, and passes the API key on the command line.
Review before installing. If you use it, create a dedicated Zotero API key with the minimum permissions needed, avoid notes access unless required, run --dry-run first, and supervise use of your authenticated Web of Science browser session.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A broad Zotero key could modify the user's library and potentially access notes if exposed or misused; command-line secrets can also be visible in logs, process listings, or copied command history.
The skill requires a write-capable Zotero key, shows it being passed as a command-line argument, and recommends enabling notes access. The included script only shows collection and journal-article item import, so notes access appears broader than the demonstrated need.
Zotero API key ... (needs read/write) ... --zotero-key <API_KEY> ... check "Allow library access" and "Allow notes access"
Use a dedicated least-privilege Zotero key, avoid enabling notes access unless it is truly required, avoid pasting the key into shared chats or shell history, and revoke the key after use.
The agent may browse Web of Science as the user through an existing institutional session.
The skill intentionally uses the user's authenticated browser session for Web of Science access. This is disclosed and purpose-aligned, but it still gives the agent access to institution-authenticated pages.
Use browser automation with the user's profile (to preserve institutional login session)
Supervise browser automation, consider a dedicated browser profile, and do not enter unrelated credentials during the session.
Incorrect extracted metadata or duplicate results could be written into the user's Zotero library.
The script writes to the user's Zotero account by creating collections and items. This is the advertised function, but it is a persistent account mutation.
resp = zot.create_collections([{"name": collection_name}]) ... resp = zot.create_items([t])Run with --dry-run first, review the extracted paper list, and import into a new collection that can be checked or removed if needed.
A future package change or compromised install environment could affect the import script.
The skill relies on an unpinned third-party Python package installed outside a declared install spec. This is common for integrations but leaves package provenance/versioning to the user.
pyzotero installed — `pip install pyzotero`
Install pyzotero from a trusted source, preferably in a virtual environment, and pin a known-good version if using the skill repeatedly.