Zotero PDF Local Import
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may modify the local Python environment by installing or updating a dependency.
The doctor command can install the requests package into the active Python environment if it is missing; this is disclosed and purpose-aligned, but it is an automatic package install with a lower-bound version rather than a pinned exact version.
subprocess.run([sys.executable, "-m", "pip", "install", "requests>=2.31.0"], capture_output=True, text=True)
If possible, preinstall requests yourself in a virtual environment or review the dependency install before allowing auto-install.
A wrong folder path, especially with recursive mode, could add many unintended PDFs to Zotero.
The skill directs the agent to automatically run the helper workflow and supports batch folder import. This is aligned with the skill's purpose, but broad or misunderstood paths could import more PDFs than intended.
The agent must support all of the following user input forms and complete import automatically: ... A folder path ... Multiple PDF paths ... Run `doctor --auto-install-deps` ... If successful, run `import`
Use exact absolute paths, avoid recursive imports unless intended, and verify the target collection before running a batch import.
The helper can act on the local Zotero library while the connector is enabled.
The skill requires Zotero's local communication interface, which lets the helper list collections and import attachments into the user's local Zotero library.
Enable: **Allow other applications on this computer to communicate with Zotero** ... Note the connector port ... provide it to the agent via `--port`
Only provide the Zotero port to agents you trust, and disable Zotero local-app communication when you no longer need this workflow.
Recent Zotero attachment titles and local file paths could appear in the agent conversation or logs.
The optional check command reads persistent Zotero database metadata, including attachment titles, paths, and dates. It is read-only and purpose-aligned, but the output may reveal private library information.
SELECT i.itemID, idv.value as title, ia.path, i.dateAdded ... FROM items i ... typeName='attachment'
Run the check command only when needed and avoid sharing its output if Zotero item names or file paths are sensitive.