Paper Parse
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: paper-parse Version: 1.0.0 The skill is classified as suspicious due to the potential for shell injection. The `SKILL.md` file instructs the AI agent to use the `pdftotext` command-line utility to process user-provided PDF files or URLs. If the input (filename or URL) is not rigorously sanitized by the OpenClaw platform before being passed to `pdftotext`, this could allow an attacker to inject arbitrary shell commands, leading to Remote Code Execution (RCE). While `pdftotext` is a legitimate tool for the skill's stated purpose, the method of its invocation represents a significant vulnerability.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may fetch and process the full contents of papers or URLs the user provides.
The skill directs the agent to use local/file tools and download user-provided PDF URLs. This is disclosed and central to paper parsing, but users should know the skill involves document extraction and URL-based downloading.
使用 `pdftotext` 命令或 `file` 工具的 `read` 动作提取论文全文。对于URL来源的论文,先尝试下载PDF再提取。
Provide only papers and URLs you intend the agent to download and analyze, and avoid untrusted or sensitive documents unless you are comfortable processing them in the agent workspace.
Paper contents or summaries may remain in local workspace files after the task is complete.
The skill stores intermediate analysis and the final report as local Markdown files. This is expected for the workflow, but those files may contain extracted content or analysis from private manuscripts.
创建临时分析文件 `temp_analysis.md`...创建最终交付文件,文件名格式为 `[论文简称]_研读报告.md`。
If the paper is confidential or unpublished, review where files are saved and delete temporary or final report files when they are no longer needed.