Zenodo Skill

v1.0.0

Use whenever the user mentions Zenodo, depositing or publishing research artifacts (datasets, software, papers, posters) to Zenodo, minting a DOI for a datas...

⭐ 0· 116·0 current·0 all-time

byAgents365.ai@agents365-ai

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for agents365-ai/zenodo-skill.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Zenodo Skill" (agents365-ai/zenodo-skill) from ClawHub.
Skill page: https://clawhub.ai/agents365-ai/zenodo-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: ZENODO_TOKEN
Required binaries: curl
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install zenodo-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install zenodo-skill

Security Scan

Capability signals

CryptoCan make purchasesRequires OAuth token

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Pending

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description (depositing, publishing, versioning, searching on Zenodo) align with the declared requirements: curl and a ZENODO_TOKEN. The files and examples exclusively target the Zenodo API and related local files (metadata.json, ./data/*), which are expected for this functionality.

✓

Instruction Scope

SKILL.md and example scripts limit actions to Zenodo API calls (create deposition, upload via bucket, PUT metadata, publish, search). It reads local files to upload and reads $ZENODO_TOKEN/$ZENODO_BASE; it does not instruct reading unrelated system files or sending data to non-Zenodo endpoints. It explicitly warns to avoid inlining tokens and to confirm irreversible production publishes.

✓

Install Mechanism

No install spec and no code files to write or execute. Instruction-only skills are lower-risk because nothing is downloaded or installed by the skill itself.

✓

Credentials

Only one required environment variable (ZENODO_TOKEN) is declared and used; this is necessary for authenticated Zenodo operations. Optional ZENODO_BASE is reasonable for sandbox vs production. No unrelated credentials or system config paths are requested.

ℹ

Persistence & Privilege

always:false (no forced inclusion). The agent policy file allows implicit invocation (allow_implicit_invocation:true) and model invocation is enabled by default — this is normal for skills, but remember that if the agent has access to a valid ZENODO_TOKEN it can perform authenticated actions programmatically. The skill mitigates risk by recommending sandbox-first and requiring explicit confirmation before irreversible production publish.

Assessment

This skill appears coherent and limited to the Zenodo API, but before installing: 1) Only provide a Zenodo token with the minimum required scopes (deposit:write and deposit:actions); use a sandbox token for testing. 2) Do not paste tokens into chat or inline them into commands shown to others; store them in your environment. 3) Be aware that if the agent can invoke the skill and the token is available, it can create/publish deposits — prefer sandbox unless you explicitly confirm production publishes. 4) Because this is an instruction-only skill from an external GitHub repo, review the repository yourself (or the SKILL.md/README contents, which are included) and only install from a source you trust. 5) Rotate/revoke the token if you stop using the skill or suspect misuse.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📦 Clawdis

OSmacOS · Linux · Windows

Binscurl

EnvZENODO_TOKEN

latestvk971b0cdejp1j2bgebzcjhe0td84cs6r

116downloads

0stars

1versions

Updated 3w ago

v1.0.0

MIT-0

macOS, Linux, Windows

Zenodo Skill

Interact with the Zenodo REST API to deposit, publish, version, and search research artifacts. Zenodo issues a citable DOI for every published record.

When to use

User wants to upload a dataset, code release, paper, poster, or other artifact to Zenodo
User wants a DOI for a research output
User wants to update an existing deposit or publish a new version
User wants to search Zenodo for records

Setup

Two environments — pick one and stick with it during a session:

Env	Base URL	Token page
Production	`https://zenodo.org/api`	https://zenodo.org/account/settings/applications/tokens/new/
Sandbox (testing)	`https://sandbox.zenodo.org/api`	https://sandbox.zenodo.org/account/settings/applications/tokens/new/

Sandbox accounts/tokens are separate from production. Always test new workflows in sandbox first — published production records cannot be deleted.

Required token scopes: deposit:write and deposit:actions.

Export the token before running commands:

export ZENODO_TOKEN=...        # never inline the token in commands you show the user
export ZENODO_BASE=https://sandbox.zenodo.org/api   # or https://zenodo.org/api

If ZENODO_TOKEN is unset, ask the user for it (and which environment) before proceeding.

Core workflow: deposit a new artifact

The deposit lifecycle is create → upload files → set metadata → publish. Each step is a separate API call; do them in order.

1. Create an empty deposition

curl -sS -X POST "$ZENODO_BASE/deposit/depositions" \
  -H "Authorization: Bearer $ZENODO_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{}'

The response JSON contains two things you need to remember:

id — the deposition id, used for metadata/publish/version actions
links.bucket — the bucket URL for file uploads (new files API)

Capture them, e.g. with jq:

RESP=$(curl -sS -X POST "$ZENODO_BASE/deposit/depositions" \
  -H "Authorization: Bearer $ZENODO_TOKEN" -H "Content-Type: application/json" -d '{}')
DEPOSIT_ID=$(echo "$RESP" | jq -r .id)
BUCKET=$(echo "$RESP" | jq -r .links.bucket)

2. Upload files (bucket API — preferred)

The bucket API supports up to 50 GB total / 100 files per record. Use --upload-file (HTTP PUT) — not multipart form upload. The filename in the URL is what shows up on the record.

curl -sS --upload-file ./data.csv \
  -H "Authorization: Bearer $ZENODO_TOKEN" \
  "$BUCKET/data.csv"

Repeat per file. For many files, loop in shell. The legacy /files multipart endpoint is capped at 100 MB/file — avoid it.

3. Set metadata

Metadata goes via PUT on the deposition. Required fields: upload_type, title, creators, description. See references/metadata.md for the full schema, allowed upload_type values, license codes, and conditional fields (e.g. publication_type, embargo_date).

Minimal example:

curl -sS -X PUT "$ZENODO_BASE/deposit/depositions/$DEPOSIT_ID" \
  -H "Authorization: Bearer $ZENODO_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "metadata": {
      "title": "My dataset",
      "upload_type": "dataset",
      "description": "<p>A short description (HTML allowed).</p>",
      "creators": [{"name": "Doe, Jane", "affiliation": "Example Univ.", "orcid": "0000-0002-1825-0097"}]
    }
  }'

Read the response — Zenodo validates here and returns 400 with field-level errors if anything is missing or malformed. Fix and retry before publishing.

4. Publish

Publishing is irreversible on production (you can edit metadata later but cannot remove files or delete the record). Confirm with the user before this step unless they're on sandbox.

curl -sS -X POST "$ZENODO_BASE/deposit/depositions/$DEPOSIT_ID/actions/publish" \
  -H "Authorization: Bearer $ZENODO_TOKEN"

The response contains doi and links.record_html — show both to the user.

New version of an existing record

Use this when the user has previously published and wants to release updated data/code under the same concept-DOI.

# 1. Create new version draft (returns links.latest_draft)
curl -sS -X POST "$ZENODO_BASE/deposit/depositions/$DEPOSIT_ID/actions/newversion" \
  -H "Authorization: Bearer $ZENODO_TOKEN"

Then follow the bucket of the new draft (from links.latest_draft → GET it → use its links.bucket) to upload changed files, update metadata, and publish as in steps 2–4 above. The new version inherits files from the previous version by default — delete any you want to replace via DELETE $BUCKET/<filename>.

Discard a draft

curl -sS -X POST "$ZENODO_BASE/deposit/depositions/$DEPOSIT_ID/actions/discard" \
  -H "Authorization: Bearer $ZENODO_TOKEN"

Search published records

No token needed for public search.

curl -sS "$ZENODO_BASE/records?q=climate+model&size=10&sort=mostrecent"

Query syntax is Elasticsearch — fielded queries like creators.name:"Doe, Jane", communities:zenodo, resource_type.type:dataset all work. See references/search.md for query patterns.

Conventions and gotchas

Always check HTTP status. 201 = created, 202 = publish accepted, 400 = metadata error (read the body), 401 = bad token, 403 = wrong scope, 429 = rate limited.
Rate limits: 100 req/min, 5000 req/hour for authenticated users. Watch X-RateLimit-Remaining.
Never inline the token in commands you display — use $ZENODO_TOKEN. Don't write the token to files.
Sandbox first. Suggest sandbox for any first-time workflow; switch to production only when the user explicitly confirms.
Verify before publishing. GET the deposition and review files + metadata with the user before calling actions/publish on production.
Large uploads: for files > a few hundred MB, consider doing the curl upload with --progress-bar and warn the user about time/bandwidth.

References

references/metadata.md — full metadata schema, upload_type values, license codes, conditional fields
references/search.md — search query syntax and useful filters
references/examples.md — end-to-end shell scripts for common scenarios (dataset upload, software release, new version)

Comments

Loading comments...