ClawHub

Papyrus

Security checks across malware telemetry and agentic risk

Overview

Papyrus has a coherent academic-paper-to-PDF purpose, but it needs review because it sends formula content to external services and runs brittle local scripts on untrusted paper content.

Install only if you are comfortable with the skill contacting arXiv, search/web sources, and possibly codecogs.com, and with local scripts processing downloaded paper files. Use public papers or a disposable workspace/container, prefer local LaTeX rendering, avoid private manuscripts unless remote rendering and web research are disabled, and check the missing/expected SCRIPTS/papyrus entry point before relying on the platform adapters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
sys.exit(1)
    cmd = sys.argv[1]
    args = sys.argv[2:]
    result = getattr(papyrus, cmd)(*args)
    print(result)
Confidence
93% confidence
Finding
result = getattr(papyrus, cmd)(*args)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README states that formulas may be rendered via codecogs.com, which implies sending paper-derived LaTeX content to a third-party service, but it does not clearly disclose the privacy, confidentiality, or compliance implications of that transfer. In an agent skill context, users may process unpublished or sensitive research content automatically, so insufficient warning can lead to unintended external data exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script falls back to an external service at latex.codecogs.com and transmits the full formula content without requiring explicit user consent or providing a clear warning at the point of use. If formulas contain proprietary, sensitive, or unpublished material, this creates a confidentiality risk because data leaves the local environment and is exposed to a third party and to network observers/logging systems.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly requires internet access for arXiv downloads and codecogs formula rendering, and it also describes commentary enriched by web research, but it does not clearly warn users that paper content, formulas, or derived excerpts may be transmitted to third-party services. In an academic setting, papers may be unpublished, proprietary, or embargoed, so silent external transmission can create confidentiality, compliance, and data-governance risks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The SOP explicitly allows fallback to an online formula-rendering API, which can transmit extracted formula content from the paper to a third-party service without user consent or visibility. In contexts involving unpublished, proprietary, or sensitive manuscripts, this creates a real data leakage risk and expands the trust boundary beyond the local environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to fetch arXiv content and perform web research, which causes external network access and may transmit user-provided URLs, prompts, or derived content to third parties without any disclosure or consent step. In an agent setting, silent outbound access can expose sensitive research interests, private documents, or contextual data and creates privacy and policy-compliance risks.

Missing User Warnings

High
Confidence
99% confidence
Finding
Documenting a fallback to codecogs.com means formula text may be transmitted to an external third-party renderer, yet the skill gives no warning or consent mechanism. Formula content can include unpublished research, proprietary notation, or sensitive material, so silent transmission to a third party is a concrete confidentiality risk beyond ordinary web fetching.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly instructs the agent to download arXiv sources, fetch arXiv HTML, download appendix figures, and perform broad web research, but the config contains no user-facing notice or consent gate for those external requests. In a skill that may be invoked automatically based on triggers, this can cause unexpected transmission of user-provided URLs or research interests to third-party services and may violate privacy or operator policy expectations.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The pipeline uses a fixed /tmp/papyrus_work directory for downloaded sources, extracted figures, rendered formulas, HTML, and the final PDF, but does not disclose this local artifact creation or describe cleanup behavior. This can leave potentially sensitive documents or derived content on shared systems, especially if /tmp is accessible to other users or if files persist after failures.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal