Zotero
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent for Zotero library management, but users should understand it can read and change their Zotero library using an API key.
This appears to be a legitimate Zotero management skill. Before installing, create a Zotero API key with the minimum permissions needed, confirm whether it targets your personal or group library, use dry-run and limit options for bulk operations, and be especially careful with update, force, upload, and permanent-delete commands.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key has write permissions, the skill can read and modify a personal or group Zotero library.
The skill needs a Zotero API key and user or group library identifier, which is expected for Zotero Web API management but grants account-level library access depending on the key permissions.
Requires two environment variables: ZOTERO_API_KEY ... ZOTERO_USER_ID ... For group libraries, set `ZOTERO_GROUP_ID` instead of `ZOTERO_USER_ID`.
Use a Zotero API key with only the permissions needed, verify whether it targets a user or group library, and revoke or rotate the key when no longer needed.
Mistaken commands could change metadata, add unwanted entries, attach PDFs, or delete references from the Zotero library.
The documented commands can modify, bulk add, trash, or permanently delete Zotero items. This is purpose-aligned and disclosed, with some safeguards, but it is still high-impact account mutation capability.
`delete` | Move items to trash ... `update` | Modify item metadata/tags ... `delete KEY1 --permanent --yes`
Review item keys and collection scope before write operations, start with dry-run or small limits where available, and avoid `--permanent`, `--force`, or bulk actions unless explicitly intended.
Private or unpublished bibliography details could be revealed to external lookup services during DOI/PDF workflows.
The skill discloses external provider calls for DOI lookup and open-access PDF discovery, which may send citation metadata, DOIs, and optionally an email address to third-party services.
Optional env var for CrossRef/Unpaywall polite pool ... `CROSSREF_EMAIL` ... Tries three legal OA sources in order: Unpaywall → Semantic Scholar → DOI content negotiation.
Use DOI/PDF lookup features only for references you are comfortable querying externally, and scope operations with `--limit` or `--collection` when possible.
It is harder to verify the publisher, maintenance history, or upstream changes before trusting the skill with a Zotero API key.
The registry metadata does not provide a verifiable source repository or homepage, which is a provenance gap for a skill that handles API credentials and account mutations.
Source: unknown Homepage: none
Review the included script before use, prefer a least-privilege API key, and keep a known-reviewed copy if you depend on the skill.