ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

My skill

v1.0.0

Write, tag, annotate, and edit a local Zotero SQLite database. Use when the user wants to: (1) Add tags or labels to papers in their Zotero library, (2) Add...

0· 15·0 current·0 all-time
byLiang Guo@lyononthemoon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (write/tag/edit Zotero sqlite DB) align with the included script and SKILL.md examples. Required binary (python3 with sqlite3) is appropriate for this purpose.
Instruction Scope
Instructions are limited to local database operations and explicitly tell the user to close Zotero and create backups first. They reference another skill (zotero-browse) for finding keys, which is reasonable. However, SKILL.md and the script embed a hardcoded default DB path and backup directory (E:\Refer.Hub\...), which is platform-specific and surprising for a generic skill. The examples always pass --backup; the parser/help and usage text around --backup are inconsistent (it looks like --backup is both a PATH argument and described as an action to use BACKUP_DIR).
Install Mechanism
No install spec is present (instruction-only with included script). This is low-risk from an install perspective because nothing is fetched or executed automatically from external hosts.
Credentials
The skill requests no environment variables or external credentials. It only needs local filesystem access to the Zotero sqlite file, which is appropriate for its purpose.
Persistence & Privilege
The skill does not request permanent presence (always=false) and does not modify other skills or system-wide settings. It has normal, limited privileges consistent with a local utility script.
What to consider before installing
This skill appears to do what it claims (local edits to a Zotero sqlite), but there are several things to watch out for: - Hardcoded Windows paths: The default DB path and backup directory are set to E:\Refer.Hub\..., which may not match your setup. Verify and override the --db or invocation arguments to point to a safe test copy before running. - Inconsistencies and bugs: The included script shows at least one likely bug (mismatched SQL placeholders / argument counts in the INSERT for note/items). That can raise exceptions and may leave the DB in a partial state. Do NOT run this against your production library without testing. - Always use a copy: Follow the SKILL.md advice: make an offline copy of your zotero.sqlite and run the script against that copy first. Confirm backups were created and can be restored before attempting writes. - Inspect the complete script: The provided file is truncated in the listing; review the remainder to ensure there are no network calls or unexpected behavior before running. - Prefer official APIs/tools: If possible, use Zotero's official sync/API or established libraries rather than direct sqlite writes; direct DB edits carry risk if Zotero's schema changes. If you want, provide the rest of scripts/write_items.py (the truncated portion) and I can re-check for any network calls, additional bugs, or dangerous patterns. If you plan to run it, test on a disposable copy of your DB and verify backups first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b47zd6mkb0bepnrzdgw4fmn84hd5f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis
Binspython3 (with sqlite3 built-in)

Comments