ClawHub

zotero-sholar

v0.0.1

将论文和摘要保存到 Zotero 文库。需配置 ZOTERO_CREDENTIALS 环境变量。

0· 980·2 current·2 all-time
by@gottenzzp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description state 'save papers and abstracts to Zotero' and the package contains a Python script that uses the pyzotero client and asks for ZOTERO_CREDENTIALS in userID:apiKey form. The required binary 'uv' is used in the SKILL.md examples to run the script. Small inconsistency: registry slug/name contains a typo (zotero-sholar vs SKILL.md name zotero-scholar) but this is cosmetic.
Instruction Scope
SKILL.md instructs only to run the provided script via 'uv run' and to set ZOTERO_CREDENTIALS. The script's runtime actions (search Zotero for URL, create item, add note, download arXiv PDF and attach) are within the stated purpose and do not read unrelated files or environment variables.
Install Mechanism
No formal install spec is present (instruction-only), which is low-risk. The script declares dependencies via PEP-723-like headers and the SKILL.md says 'uv run' will auto-install pyzotero; this is expected but means a network install (pip) will occur when executed — user should accept that pyzotero will be fetched and installed.
Credentials
Only ZOTERO_CREDENTIALS is required and used. The script parses it as userID:apiKey and uses those values for the Zotero API. No unrelated secrets or extra environment variables are requested or accessed.
Persistence & Privilege
always is false and the skill does not request persistent or elevated platform privileges. It does not modify other skills or global agent configuration.
Assessment
This skill appears coherent and implements its stated function. Before installing: (1) confirm you are comfortable providing ZOTERO_CREDENTIALS in the form userID:apiKey — that API key grants write access to the specified Zotero library, so limit the key's scope if possible; (2) the 'uv' runner will install the pyzotero package from the Python package index at runtime — ensure network installs are acceptable in your environment; (3) the script always treats the library as a personal ('user') library (no built-in group-library support); (4) the script will download PDFs from arXiv when URLs contain 'arxiv.org' and upload them to Zotero; review the code if you need stricter controls; (5) note the minor name/slug typo (zotero-sholar vs zotero-scholar) is cosmetic only. If you have any doubt, inspect the script yourself and consider creating a dedicated Zotero API key with minimal permissions and rotating it after testing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9731n7yf88emq5ersxxk1ffeh80zj8b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
Binsuv
EnvZOTERO_CREDENTIALS
Primary envZOTERO_CREDENTIALS

Comments