ClawHub

Zotero

v1.0.0

Manage Zotero reference libraries via the Web API. Search, list, add items by DOI/ISBN/PMID (with duplicate detection), delete/trash items, update metadata and tags, export in BibTeX/RIS/CSL-JSON, batch-add from files, check PDF attachments, cross-reference citations, find missing DOIs via CrossRef, and fetch open-access PDFs. Supports --json output for scripting. Use when the user asks about academic references, citation management, literature libraries, PDFs for papers, bibliography export, or Zotero specifically.

4· 3.1k·23 current·23 all-time
by@terwox
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Zotero management) align with required env vars (ZOTERO_API_KEY, ZOTERO_USER_ID) and the included Python script that calls the Zotero Web API and external bibliography services (CrossRef, Unpaywall, Semantic Scholar). No unrelated credentials or odd binaries are requested.
Instruction Scope
SKILL.md instructions are narrowly scoped to Zotero operations (list/search/add/update/delete/export, PDF fetching, DOI lookups). Optional CROSSREF_EMAIL is documented and used for polite CrossRef requests. Commands reference files and URLs only where necessary (batch-add reads an identifier file; fetch-pdfs downloads OA PDFs). There are no instructions to read arbitrary system files, harvest unrelated environment variables, or transmit data to unexpected endpoints.
Install Mechanism
No install spec — instruction-only skill with a bundled Python script (scripts/zotero.py). This is low-risk compared with arbitrary downloads. The included script has no external dependency installs and uses standard library urllib; shipping a script is expected for CLI-style skills. Note: because code is included, users should review it before trusting.
Credentials
Only Zotero-specific credentials are required (ZOTERO_API_KEY and ZOTERO_USER_ID or ZOTERO_GROUP_ID). CROSSREF_EMAIL is optional and justified. The number and naming of env vars are proportional to the functionality described.
Persistence & Privilege
Skill does not request always:true and is user-invocable; it does not claim to modify other skills or system-wide agent settings. It runs on demand and requires the user to provide API credentials to operate.
Assessment
This skill appears coherent and limited to managing Zotero libraries. Consider the following before installing: 1) Only provide a Zotero API key with the minimum necessary permissions (create a write-restricted key if you only need read access). 2) The script will send your API key over the network to api.zotero.org (this is required for the functionality) — only use it if you trust the skill source. 3) The fetch-pdfs commands may download PDFs and optionally upload them to your Zotero storage; review and use --dry-run and --download-dir first. 4) Although the code is small and uses the Python standard library, you should review scripts/zotero.py if you want to be certain there is no unwanted behavior (the package source/homepage is unknown). 5) Because the skill is not always-enabled, it won't run automatically — you must invoke it (or grant the agent permission to invoke it).

Like a lobster shell, security has layers — review code before you run it.

latestvk9798dk75gnz649mfdwyyjs92d808sqp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📚 Clawdis
EnvZOTERO_API_KEY, ZOTERO_USER_ID
Primary envZOTERO_API_KEY

Comments