by 安全扫描
OpenClaw
安全
high confidenceThe skill's code, declared requirements, and runtime instructions are coherent for saving papers to Zotero and only request the Zotero credentials they need.
评估建议
This skill appears to do exactly what it says: create Zotero items (and optionally attach PDFs) using ZOTERO_CREDENTIALS in the format userID:apiKey. Before installing, verify the source of the Homebrew 'uv' formula (it's an uncommon package name) and ensure your runtime has Python and the pyzotero package installed. Keep your ZOTERO_CREDENTIALS secret—the script will use them to write to your Zotero library. Note that arXiv PDF downloads and uploads happen temporarily on disk and then are uploa...详细分析 ▾
✓ 用途与能力
The name/description (save papers to Zotero) matches the code and required env var (ZOTERO_CREDENTIALS). The script uses the pyzotero library and the ZOTERO_CREDENTIALS (userid:apiKey) to create items and attach PDFs—this is consistent with the stated purpose. The only mild oddity: the skill requires a 'uv' binary to run the script instead of invoking python directly; this is a convenience/runtime choice rather than a mismatch in capability.
✓ 指令范围
SKILL.md instructs running the included script via 'uv run' and to set ZOTERO_CREDENTIALS. The script only reads that env var and the provided CLI arguments; it does not attempt to read unrelated files, other environment variables, or contact endpoints outside of Zotero and (optionally) arXiv for PDF downloads. No open-ended or vague instructions that grant broad discretionary data access.
ℹ 安装机制
Install spec only installs a Homebrew formula 'uv' (creates a uv binary). This is a low-risk, package-manager-based install, but 'uv' is an uncommon binary name—verify the formula/source before installing. The script declares a Python dependency (pyzotero>=1.6.0) in its header, but the install spec does not install Python packages; the user will need to ensure pyzotero is present in the runtime environment (e.g., pip install pyzotero).
✓ 凭证需求
Only ZOTERO_CREDENTIALS is required and used by the script; that credential is necessary and proportionate for creating items in a Zotero user library. No extra or unrelated secrets/config paths are requested.
✓ 持久化与权限
The skill is not always-enabled and does not request elevated or persistent platform-wide privileges. It does not modify other skills or global agent settings; file writes are limited to a temporary directory when downloading PDFs.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.0.22026/2/15
- Updated skill description to clarify ZOTERO_CREDENTIALS formatting and usage. - Changed metadata emoji from 🧠 to 📚. - Added explicit brew-based install instructions for the uv binary in metadata. - Improved documentation for environment variable configuration and usage examples. - Removed detailed dependency section regarding PEP 723 and streamlined the instructions.
● 无害
安装命令 点击复制
官方npx clawhub@latest install zotero-scholar
镜像加速npx clawhub@latest install zotero-scholar --registry https://cn.clawhub-mirror.com
技能文档
专业的文献入库助手。可以将论文元数据、PDF 链接以及 AI 生成的总结一键保存到你的 Zotero 库中。
使用示例
可以读取环境变量ZOTERO_CREDENTIALS 中的 Zotero 凭据,格式为 userid:apiKey。使用环境变量运行
uv run {baseDir}/scripts/save_paper.py \
--title "Attention Is All You Need" \
--authors "Vaswani et al." \
--url "https://arxiv.org/abs/1706.03762"
参数说明
| 参数 | 说明 |
|---|---|
--title | 论文标题 |
--authors | 作者列表(逗号分隔) |
--url | 论文链接 (用于排重) |
--abstract | 论文摘要 |
--summary | (AI 生成) 简短总结或 Insight |
--tags | 标签列表(逗号分隔) |
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制