← 返回 Skills 市场

zotero-myscholar

Name: zotero-myscholar
Author: mozisword

作者 Mozisword · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

332

总下载

当前安装

版本数

在 OpenClaw 中安装

/install zotero-myscholar

功能描述

将论文保存到 Zotero 文库，请按照 userid:apiKey 的格式配置 ZOTERO_CREDENTIALS 环境变量。

安全使用建议

Do not install or run this skill until the author explains and fixes the inconsistency. Specific actions to take: - Ask the publisher to remove any hard-coded credentials from source and to use the declared ZOTERO_CREDENTIALS environment variable as documented. - If the exposed string is a real Zotero API key, consider it leaked: ask the author to confirm and rotate (revoke) the key immediately. - Verify the corrected code reads os.environ.get('ZOTERO_CREDENTIALS') and parses it, and that no other secrets are embedded. - Confirm why 'uv' is required and whether the runtime can just call python; avoid installing unfamiliar binaries unless necessary. - If you already installed or ran this skill with sensitive credentials present, rotate those credentials now and audit the account for unauthorized changes. This looks like either a careless credential leak or an attempt to hide credentials; treat it as suspicious until resolved.

功能分析

Type: OpenClaw Skill Name: zotero-myscholar Version: 1.0.0 The skill contains a significant discrepancy between its documentation and its implementation. While SKILL.md instructs the user to set a ZOTERO_CREDENTIALS environment variable, the actual script in scripts/save_paper.py is hardcoded to look for an environment variable named '19883603:YtIe0tqZtA12wBvFDTB8EIRR', which appears to be a leaked or hardcoded Zotero API key. This inconsistency and the presence of hardcoded credentials suggest either a broken implementation or a potential security risk, although no direct evidence of data exfiltration to an attacker-controlled endpoint was found.

能力评估

ℹ Purpose & Capability

Name/description claim to save papers to a Zotero library; the code and SKILL.md implement exactly that (create items, add notes, attach arXiv PDFs). Asking for a ZOTERO_CREDENTIALS env var and requiring a runner binary ('uv') is broadly consistent, though requiring 'uv' (instead of just python) is an implementation detail and may be unnecessary.

⚠ Instruction Scope

SKILL.md describes reading ZOTERO_CREDENTIALS and running scripts via 'uv'. The actual script behaves as described (creates Zotero items, downloads PDFs from arXiv). However there is a critical mismatch: the real script reads os.environ.get('19883603:YtIe0tqZtA12wBvFDTB8EIRR') (a literal userid:apiKey string) instead of ZOTERO_CREDENTIALS. This both contradicts the documentation and embeds what looks like a credential in source. That is out-of-scope for a benign helper (leaks secrets and is inconsistent).

ℹ Install Mechanism

Install spec is a single Homebrew formula 'uv' (creates binary 'uv'). This is a low-to-moderate risk install mechanism (brew is standard). It is somewhat surprising that a Python script would require installing 'uv' rather than invoking python directly, but this is an implementation choice rather than an obvious malicious vector.

⚠ Credentials

Declared required env var is ZOTERO_CREDENTIALS (expected). The script, however, tries to read an environment variable whose name is the literal string '19883603:YtIe0tqZtA12wBvFDTB8EIRR' (which looks like userID:apiKey). That both embeds a credential in the repository and fails to honor the declared env var name — a disproportionate and suspicious discrepancy. If that literal is a real API key, it is leaked in the skill source.

✓ Persistence & Privilege

The skill is not 'always: true' and does not request extra system-wide privileges or modify other skills. It runs a script and requires network access to Zotero/arXiv as expected; autonomous invocation is allowed by default but is not combined with elevated persistence.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install zotero-myscholar
安装完成后，直接呼叫该 Skill 的名称或使用 /zotero-myscholar 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of Zotero Scholar (zotero-myscholar): - Save academic papers, metadata, PDF links, and AI-generated summaries directly to your Zotero library. - Supports de-duplication by paper URL and adds notes/tags. - Downloads and attaches PDFs from arXiv if available. - Requires configuration of ZOTERO_CREDENTIALS environment variable (format: userid:apiKey). - Command-line usage via Python script with clear argument options.

元数据

Slug zotero-myscholar

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

zotero-myscholar 是什么？

将论文保存到 Zotero 文库，请按照 userid:apiKey 的格式配置 ZOTERO_CREDENTIALS 环境变量。它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 332 次。

如何安装 zotero-myscholar？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install zotero-myscholar」即可一键安装，无需额外配置。

zotero-myscholar 是免费的吗？

是的，zotero-myscholar 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

zotero-myscholar 支持哪些平台？

zotero-myscholar 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 zotero-myscholar？

由 Mozisword（@mozisword）开发并维护，当前版本 v1.0.0。