Is gottenzzp/zotero-sholar safe?
https://github.com/openclaw/skills/tree/main/skills/gottenzzp/zotero-sholar
The zotero-sholar skill is a well-scoped Zotero bibliography tool with no prompt injection, no exfiltration to unexpected endpoints, and no malicious code. All canary files remained intact and network activity during installation was limited to GitHub (expected) and Ubuntu update checks (pre-existing). The only meaningful risk surface is the pyzotero auto-installation supply chain dependency and transmission of the Zotero API key, both of which are explicitly documented and consistent with the skill's stated purpose.
Category Scores
Findings (4)
LOW Auto-installs Python dependency via uv on first run -8 ▶
The PEP 723 inline script header causes uv run to automatically install pyzotero>=1.6.0 from PyPI without user confirmation. A compromised or typosquatted pyzotero release could execute arbitrary code. Risk is low given pyzotero's established provenance and >1.6.0 version pin.
LOW Credential read from environment variable with network transmission -10 ▶
ZOTERO_CREDENTIALS (userID:apiKey) is read from the environment and sent to api.zotero.org over HTTPS. This is the skill's documented design, but it does mean the Zotero API key is transmitted on every invocation. A network interception attack would require TLS compromise.
LOW PDF download from arXiv with custom User-Agent header -5 ▶
The script sets a spoofed Chrome/macOS User-Agent when downloading arXiv PDFs. While this is a common workaround for CDN rate limiting, it slightly obscures the origin of requests. No evidence this is used for anything beyond PDF retrieval.
INFO Slug typo: 'zotero-sholar' vs documented name 'zotero-scholar' 0 ▶
The repository slug and _meta.json displayName use 'zotero-sholar' while SKILL.md declares name 'zotero-scholar'. This is a cosmetic discrepancy consistent with a spelling error, not an evasion technique.