Zotero Cli
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent Zotero command-line helper, but it needs Zotero API access and can create local backups containing your Zotero API key and library data.
Install this only if you trust the upstream zotero-cli package. Use a dedicated Zotero API key with only the permissions you need, protect `~/.config/zotcli/config.ini` and any `~/.zotero-cli-backups/` files, and add cron automation only if you intentionally want recurring background maintenance.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill will need to grant access to their Zotero account, including permission to change notes or other writable library data.
The skill needs a Zotero API key with both read and write authority, which is appropriate for searching and editing notes but gives the tool access to modify Zotero library content.
Ensure API key has "Read" and "Write" permissions
Create a Zotero API key only for this tool, grant the minimum permissions you need, store it securely, and revoke it if you stop using the skill.
Backups may contain credentials and research-library metadata; if those files are shared, synced insecurely, or left readable by others, account access or private research data could be exposed.
The backup workflow explicitly stores configuration containing the Zotero user ID and API key, along with library data, in persistent local backups.
Configuration File - `~/.config/zotcli/config.ini` - Your Zotero userID and API key
Keep backup directories private, verify file permissions, avoid uploading backups to shared locations, and clean old backups when no longer needed.
Installing directly from a moving branch means the code you install can change over time and may not match a reviewed release.
The documentation includes an optional install path from a moving GitHub master branch, which is less reproducible than a pinned package version.
pipx install git+git://github.com/jbaiter/zotero-cli.git@master
Prefer pipx installation from a known release when possible, and only install from GitHub master if you intentionally want the latest development version and trust the repository.
Scheduled tasks could keep running after setup and continue creating backups or checking for updates without further prompts.
The documentation shows optional cron jobs for recurring backups and update checks, creating persistent scheduled activity if the user adds them.
# Weekly backup 0 9 * * 0 /path/to/backup_restore.sh backup # Weekly update check 0 10 * * 0 /path/to/update_check.sh check
Only add cron jobs you actually want, review them periodically, and prefer scheduled update checks over automatic unattended updates.