← Back to Skills Marketplace

zotero-myscholar

Name: zotero-myscholar
Author: mozisword

by Mozisword · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

332

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install zotero-myscholar

Description

将论文保存到 Zotero 文库，请按照 userid:apiKey 的格式配置 ZOTERO_CREDENTIALS 环境变量。

Usage Guidance

Do not install or run this skill until the author explains and fixes the inconsistency. Specific actions to take: - Ask the publisher to remove any hard-coded credentials from source and to use the declared ZOTERO_CREDENTIALS environment variable as documented. - If the exposed string is a real Zotero API key, consider it leaked: ask the author to confirm and rotate (revoke) the key immediately. - Verify the corrected code reads os.environ.get('ZOTERO_CREDENTIALS') and parses it, and that no other secrets are embedded. - Confirm why 'uv' is required and whether the runtime can just call python; avoid installing unfamiliar binaries unless necessary. - If you already installed or ran this skill with sensitive credentials present, rotate those credentials now and audit the account for unauthorized changes. This looks like either a careless credential leak or an attempt to hide credentials; treat it as suspicious until resolved.

Capability Analysis

Type: OpenClaw Skill Name: zotero-myscholar Version: 1.0.0 The skill contains a significant discrepancy between its documentation and its implementation. While SKILL.md instructs the user to set a ZOTERO_CREDENTIALS environment variable, the actual script in scripts/save_paper.py is hardcoded to look for an environment variable named '19883603:YtIe0tqZtA12wBvFDTB8EIRR', which appears to be a leaked or hardcoded Zotero API key. This inconsistency and the presence of hardcoded credentials suggest either a broken implementation or a potential security risk, although no direct evidence of data exfiltration to an attacker-controlled endpoint was found.

Capability Assessment

ℹ Purpose & Capability

Name/description claim to save papers to a Zotero library; the code and SKILL.md implement exactly that (create items, add notes, attach arXiv PDFs). Asking for a ZOTERO_CREDENTIALS env var and requiring a runner binary ('uv') is broadly consistent, though requiring 'uv' (instead of just python) is an implementation detail and may be unnecessary.

⚠ Instruction Scope

SKILL.md describes reading ZOTERO_CREDENTIALS and running scripts via 'uv'. The actual script behaves as described (creates Zotero items, downloads PDFs from arXiv). However there is a critical mismatch: the real script reads os.environ.get('19883603:YtIe0tqZtA12wBvFDTB8EIRR') (a literal userid:apiKey string) instead of ZOTERO_CREDENTIALS. This both contradicts the documentation and embeds what looks like a credential in source. That is out-of-scope for a benign helper (leaks secrets and is inconsistent).

ℹ Install Mechanism

Install spec is a single Homebrew formula 'uv' (creates binary 'uv'). This is a low-to-moderate risk install mechanism (brew is standard). It is somewhat surprising that a Python script would require installing 'uv' rather than invoking python directly, but this is an implementation choice rather than an obvious malicious vector.

⚠ Credentials

Declared required env var is ZOTERO_CREDENTIALS (expected). The script, however, tries to read an environment variable whose name is the literal string '19883603:YtIe0tqZtA12wBvFDTB8EIRR' (which looks like userID:apiKey). That both embeds a credential in the repository and fails to honor the declared env var name — a disproportionate and suspicious discrepancy. If that literal is a real API key, it is leaked in the skill source.

✓ Persistence & Privilege

The skill is not 'always: true' and does not request extra system-wide privileges or modify other skills. It runs a script and requires network access to Zotero/arXiv as expected; autonomous invocation is allowed by default but is not combined with elevated persistence.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install zotero-myscholar
After installation, invoke the skill by name or use /zotero-myscholar
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release of Zotero Scholar (zotero-myscholar): - Save academic papers, metadata, PDF links, and AI-generated summaries directly to your Zotero library. - Supports de-duplication by paper URL and adds notes/tags. - Downloads and attaches PDFs from arXiv if available. - Requires configuration of ZOTERO_CREDENTIALS environment variable (format: userid:apiKey). - Command-line usage via Python script with clear argument options.

Metadata

Slug zotero-myscholar

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is zotero-myscholar?

将论文保存到 Zotero 文库，请按照 userid:apiKey 的格式配置 ZOTERO_CREDENTIALS 环境变量。 It is an AI Agent Skill for Claude Code / OpenClaw, with 332 downloads so far.

How do I install zotero-myscholar?

Run "/install zotero-myscholar" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is zotero-myscholar free?

Yes, zotero-myscholar is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does zotero-myscholar support?

zotero-myscholar is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created zotero-myscholar?

It is built and maintained by Mozisword (@mozisword); the current version is v1.0.0.

More Skills