zotero-scholar
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Zotero helper that uses your Zotero API key to add papers, notes, and optional PDFs to your library; the main risk is expected persistent account-write access.
Install this if you are comfortable giving it a Zotero API key that can add library content. Use the least-privileged Zotero key that works, review the paper URL and AI summary before saving, and consider pinning the Python dependency if you need stricter reproducibility.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Zotero API key with write permissions can add items, notes, and attachments to your Zotero library.
The skill reads a Zotero API credential and uses it to access a user library. This is disclosed and necessary for the stated purpose, but it grants account-level API access.
zotero_creds = os.environ.get('ZOTERO_CREDENTIALS') ... zot = zotero.Zotero(library_id, library_type, api_key)Use a Zotero API key scoped only to the needed library and permissions, and revoke or rotate it if you stop using the skill.
Incorrect title, author, URL, summary, or tag inputs could create unwanted persistent entries in Zotero.
The script creates Zotero records and can upload a downloaded PDF attachment. This mutation is purpose-aligned, but users should recognize that running it changes a third-party account library.
resp = zot.create_items([template]) ... zot.attachment_simple([pdf_path], item_key)
Review the paper metadata and URL before invoking the skill, especially when the agent extracted those values from an external page.
A future package version could behave differently from the version originally reviewed.
The script relies on uv resolving the pyzotero package at runtime with a minimum version rather than an exact pinned version. The dependency is expected for Zotero integration.
# dependencies = ["pyzotero>=1.6.0"]
Install from trusted package sources, and consider pinning pyzotero to a known-good version if you require reproducible installs.
Misleading, unreviewed, or sensitive summary text could remain in Zotero and be seen or reused later.
The skill stores the provided AI summary as a persistent Zotero note. This is expected, but AI-generated or user-supplied text may later be reused or trusted as library context.
note_template['note'] = f"<h3>AI 摘要</h3><p>{args.summary}</p>"Review AI summaries before saving them, and avoid putting secrets or untrusted instructions into persistent Zotero notes.