zotero-paper
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to do what it claims—save papers into Zotero—but users should understand it uses a Zotero API key and makes persistent library changes.
Install this only if you are comfortable giving the skill a Zotero API key. Use the least-privileged Zotero key available, verify each paper before saving, and remember that successful runs can permanently add items, notes, and arXiv PDF attachments to your Zotero library.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing and configuring this skill gives it the ability to act on their Zotero library according to the API key's permissions.
The script reads a Zotero API credential from the environment and uses it to authenticate to the user's Zotero library.
zotero_creds = os.environ.get('ZOTERO_CREDENTIALS') ... zot = zotero.Zotero(library_id, library_type, api_key)Use a Zotero API key with the minimum permissions needed, keep it private, and rotate it if you no longer use the skill.
If invoked with incorrect or unintended metadata, the skill can add unwanted entries or attachments to the user's Zotero library.
The script performs authenticated write operations: it creates Zotero items, may add a note, and may upload a PDF attachment.
resp = zot.create_items([template]) ... zot.create_items([note_template]) ... zot.attachment_simple([pdf_path], item_key)
Review the paper title, authors, URL, summary, and tags before asking the agent to save a paper.
Future installs may resolve to a newer pyzotero version than the author originally tested.
The uv script declares a third-party dependency using a minimum version rather than an exact pinned version.
# dependencies = ["pyzotero>=1.6.0"]
Prefer a pinned dependency or lockfile if reproducible installs are important.