Pyzotero
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: pyzotero Version: 2.2.0 This skill provides Python scripts to manage Zotero libraries, supporting both local and online API modes. It handles Zotero API keys via environment variables, which is a standard practice for CLI tools. All network calls are directed to the official Zotero API (api.zotero.org) for legitimate library management operations, such as searching, listing, adding, and deleting items/collections, as seen in `scripts/zotero_tool.py`. There is no evidence of data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, or prompt injection attempts in `SKILL.md` or other documentation files. The code and instructions are clearly aligned with the stated purpose of Zotero library management.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent or user running the wrong command could add many unwanted records or delete/alter Zotero collections.
The skill explicitly exposes bulk-add and collection-deletion operations against the user's Zotero library. These are purpose-aligned but can materially change library data if invoked incorrectly.
`python3 scripts/zotero_tool.py add-from-json file.json` | **批量添加项目** ... `python3 scripts/zotero_tool.py collection-delete KEY -y` | **删除集合**
Use mutation commands only when explicitly intended, avoid '-y' unless you are sure, and confirm collection keys before deleting or renaming.
A Zotero API key may allow access to private library metadata/files and, depending on key permissions, may allow library changes.
Online mode reads Zotero account credentials from environment variables and uses them to access the Zotero Web API. This is expected for the stated integration and the artifacts do not show credential logging or unrelated transmission.
user_id = os.environ.get('ZOTERO_USER_ID')
api_key = os.environ.get('ZOTERO_API_KEY')
...
zot = zotero.Zotero(user_id, 'user', api_key)Create the least-privileged Zotero API key needed, keep it out of shared shell history/configs where possible, and revoke it if no longer needed.
Installing an unpinned package may pull a newer dependency version than expected.
The skill asks users to install the unpinned 'pyzotero' Python package. This is normal for the skill's purpose, but it means trust is delegated to the Python package source and current package version.
pipx install pyzotero ... pip install --user pyzotero
Prefer pipx as documented, install from the official package source, and pin or review package versions in stricter environments.