ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

openclaw-zotero-scholar

v0.0.1

将论文保存到 Zotero 文库,请按照 userid:apiKey 的格式配置 ZOTERO_CREDENTIALS 环境变量。

0· 174·0 current·0 all-time
bywangjiayu@little-cat1

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for little-cat1/openclaw-zotero-scholar.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "openclaw-zotero-scholar" (little-cat1/openclaw-zotero-scholar) from ClawHub.
Skill page: https://clawhub.ai/little-cat1/openclaw-zotero-scholar
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: ZOTERO_CREDENTIALS
Required binaries: uv
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install openclaw-zotero-scholar

ClawHub CLI

Package manager switcher

npx clawhub@latest install openclaw-zotero-scholar
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description, SKILL.md, and Python script align: they read ZOTERO_CREDENTIALS and use the Zotero API to create items, notes, and attach PDFs. However, the skill requires a 'uv' binary (and provides a brew install for 'uv') even though the runtime is a Python script using pyzotero; that requirement appears unnecessary or at least unexplained.
Instruction Scope
SKILL.md instructs the agent to run the included Python script via 'uv run' and to provide paper metadata; the script only reads ZOTERO_CREDENTIALS and command-line args, checks/creates Zotero items, optionally downloads PDFs from arxiv.org, and uploads attachments. It does not attempt to read other files or unrelated environment variables.
!
Install Mechanism
Install spec requires 'brew formula: uv' which will install a binary named 'uv'. The Python script itself requires pyzotero but the install spec does not install Python packages. Requiring 'uv' to run a Python script is disproportionate/unexplained and may cause unexpected software to be installed; the brew source is not further specified (tap), so verify what 'uv' refers to before installing.
Credentials
Only ZOTERO_CREDENTIALS (userid:apiKey) is required and used by the script. That is proportional to the skill's purpose. Recommend using a Zotero API key with the minimum privileges needed rather than a full account credential.
Persistence & Privilege
The skill does not request always:true and does not modify system-wide settings. It will be invocable and can run autonomously per platform defaults; this is expected for skills and is not a standalone concern here.
What to consider before installing
This skill appears to do what it says (saving papers to your Zotero library), but there are some practical inconsistencies you should consider before installing: - Review the 'uv' requirement: the SKILL requires a binary named 'uv' and offers a brew install for it, but the runtime is a Python script. Confirm what the 'uv' brew formula actually installs and whether you need it; you may instead run the script with python directly (python3 scripts/save_paper.py ...) if you prefer not to add unknown binaries. - Python dependency not installed: the script depends on the pyzotero package but the install spec doesn't install Python packages. Ensure pyzotero is installed in the runtime environment (pip install pyzotero) or the script will fail. - Credentials scope: provide a Zotero API key with minimal necessary scope (a dedicated key for writes if possible) rather than a high-privilege token. The script expects ZOTERO_CREDENTIALS='userID:apiKey'. - Network behavior: the script will call Zotero's API and may download PDFs from arxiv.org when URLs point to arXiv. If you do not want automatic PDF downloads, avoid passing arXiv URLs or edit the script. - Inspect before running: because the brew formula 'uv' is unspecified, inspect what it installs and, if you are unsure, run the Python script in a controlled environment (container or sandbox) after installing pyzotero and using a limited-scope Zotero key. If these points are acceptable and you confirm the 'uv' package is safe or unnecessary for your setup, the skill seems functionally coherent. If you cannot verify the brew formula or do not want extra binaries installed, treat this as a red flag and do not install.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📚 Clawdis
Binsuv
EnvZOTERO_CREDENTIALS
Primary envZOTERO_CREDENTIALS

Install

Install uv (brew)
Bins: uv
brew install uv
latestvk9742kbv1v9pqe1g9v5z9y8vjn838qzk
174downloads
0stars
1versions
Updated 23h ago
v0.0.1
MIT-0
wangjiayu@little-cat1
latest
Download

Zotero Scholar

专业的文献入库助手。可以将论文元数据、PDF 链接以及 AI 生成的总结一键保存到你的 Zotero 库中。

使用示例

可以读取环境变量 ZOTERO_CREDENTIALS 中的 Zotero 凭据,格式为 userid:apiKey

使用环境变量运行

uv run {baseDir}/scripts/save_paper.py \
  --title "Attention Is All You Need" \
  --authors "Vaswani et al." \
  --url "https://arxiv.org/abs/1706.03762"

参数说明

参数说明
--title论文标题
--authors作者列表(逗号分隔)
--url论文链接 (用于排重)
--abstract论文摘要
--summary(AI 生成) 简短总结或 Insight
--tags标签列表(逗号分隔)

Comments

Loading comments...