Academic Paper Finder
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to do what it advertises, but users should knowingly approve its Zotero credential use and external literature API lookups.
This looks safe to use for its stated purpose if you are comfortable with external literature API lookups and Zotero account writes. Use a limited Zotero API key, review batch imports before running them, and choose RIS output paths carefully.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Zotero key with write access lets the skill add references to your Zotero library, including through batch import workflows.
The script uses a Zotero API key and user ID to authenticate to the user's Zotero account and create library items. This is expected for Zotero import, but it is delegated account authority.
API_KEY = os.environ.get('ZOTERO_API_KEY') ... url = f"{API_BASE}/users/{USER_ID}/items" ... req.add_header('Zotero-API-Key', API_KEY)Use a Zotero API key with only the permissions needed, review the PMID/DOI list before importing, and revoke the key when you no longer need the skill.
A user may not realize from registry metadata alone that Zotero credentials are needed for import features.
The skill's setup requires Zotero environment variables, while the registry metadata lists no required environment variables and no primary credential. This is an under-declared setup/credential requirement, not evidence of hidden misuse.
Requires environment variables: - `ZOTERO_API_KEY` - Zotero API key - `ZOTERO_USER_ID` - Your Zotero user ID
Declare the Zotero API key and user ID in metadata, and users should read SKILL.md setup before enabling Zotero import.
Research identifiers and search-related metadata may be visible to third-party literature services used by the skill.
Citation count lookups send PMIDs to OpenAlex. This is purpose-aligned, but it is an external provider data flow users may want to know about.
url = f"https://api.openalex.org/works?filter=pmid:{pmid}"Avoid using the skill for sensitive research queries unless you are comfortable sending those terms or PMIDs to PubMed/NCBI, OpenAlex, and Zotero.