ClawHub

Zotero Enhanced

v1.3.4

Manages the Zotero library. Supports adding new PDF documents with automatic metadata fetching (Crossref/arXiv), searching for existing items, reading attach...

0· 115·1 current·1 all-time
by@guoxh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binaries (curl, jq, pdftotext, zip/unzip, md5sum/md5) and required env vars (ZOTERO_USER_ID, ZOTERO_API_KEY) match the declared purpose of adding/searching/reading Zotero items and uploading/downloading attachments. The included scripts implement the advertised features (metadata lookup, attachment uploads, note management).
Instruction Scope
The runtime instructions and scripts operate within the stated scope: they call Zotero, Crossref, arXiv, and optional user-supplied WebDAV endpoints. Scripts read PDFs with pdftotext, create temporary files in /tmp, and may write backups to ~/.zotero-backup. They do not attempt to read other system credentials or contact unknown external hosts. Note: some helpful tools (e.g., xmllint) are used if available but are optional. Also some SKILL.md sections are truncated in the manifest but the available scripts are consistent with the description.
Install Mechanism
No install spec is provided (instruction-only installation), and the skill includes shell scripts only. There are no network downloads or archive extraction steps during installation. This is low-risk from an install-mechanism perspective.
Credentials
The primary credential requested is the Zotero API key (ZOTERO_API_KEY) and the user ID — both appropriate and required for the capabilities. WebDAV credentials (WEBDAV_URL, WEBDAV_USER, WEBDAV_PASS) are used only when the user opts into WebDAV mode; the registry's required env list only includes the Zotero vars (which is reasonable). Scripts will also read HOME for optional backups and write to /tmp and a backup dir (~/.zotero-backup) if backup is requested — consider that local file writes will occur.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide agent settings, and relies on ephemeral temp files and optional user-visible backups. It uses normal user-level filesystem locations and does not request elevated privileges.
Assessment
This package appears to do what it claims: manipulate Zotero items, fetch metadata from Crossref/arXiv, and optionally use WebDAV. Before installing or running: 1) Review the scripts yourself (they are plain shell and included) and confirm you trust the source. 2) Only provide ZOTERO_API_KEY and WEBDAV credentials when needed; the Zotero API key gives access to your library, so treat it like a password. 3) Be aware scripts create temporary files in /tmp and may save backups to ~/.zotero-backup if you use the backup option; check and restrict permissions on those directories if necessary. 4) Run scripts/check_deps.sh first to see missing dependencies. If you need higher assurance, run the scripts in a controlled environment (container or VM) and inspect network traffic during an operation.

Like a lobster shell, security has layers — review code before you run it.

latestvk972yw31sy86wa3jvgxh1p5dx983yx65

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📚 Clawdis
Binscurl, jq, pdftotext, zip, unzip
Any binmd5sum, md5
EnvZOTERO_USER_ID, ZOTERO_API_KEY
Primary envZOTERO_API_KEY

Comments