cnki-export

The skill is coherent with its stated purpose: it scrapes CNKI export IDs from results or detail pages, calls CNKI's export API to obtain citation payloads, and either saves a JSON/RIS/GB output or forwards items to Zotero via a local Python helper that posts to the Zotero connector at localhost. I find no direct malicious behavior in the provided code (no external exfiltration domains, no credential-file reads, no remote download-and-execute). The primary security concern is the transitive trust in the local Python script (path shown but script not provided) — that local artifact, if untrusted or modified, could exfiltrate data or perform other actions. Inspect and verify the Python script before executing it. Overall: low immediate risk from the JS snippets and network calls, moderate supply-chain risk due to running an unchecked local script.