Papyrus
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or hostile archive could overwrite files outside the intended work area or leave a partial/corrupt workspace without the agent noticing.
The skill downloads an external paper archive and extracts it directly into a user-specified directory without validating archive member paths, symlinks, size, or extraction failure.
curl -sL "$SOURCE_URL" -o "$OUTPUT_DIR/source.tar.gz" ... tar -xzf "$OUTPUT_DIR/source.tar.gz" -C "$OUTPUT_DIR" 2>/dev/null || true
Validate archive contents before extraction, reject absolute paths, '..' paths, and unsafe symlinks, extract in a disposable sandbox, and remove the '|| true' so extraction failures stop the workflow.
If a crafted paper or formula file causes hostile formula text to be copied into the workflow, it could alter the Python snippet in the online-render path or trigger unsafe local TeX processing under the user's account.
Formula text taken from formulas.txt is embedded into a TeX document and also interpolated directly into Python source code inside a shell command instead of being passed as data via argv, stdin, or a safely quoted file.
cat > "$tmpdir/formula.tex" << TEXEOF
...
${tex_formula}
...
TEXEOF
...
encoded=$(python3 -c "import urllib.parse; print(urllib.parse.quote('${tex_formula}'))")Pass formula text to Python via stdin/sys.argv or JSON, avoid interpolating untrusted values into python -c strings, sanitize formula names and output paths, and run LaTeX in a sandbox with shell escape disabled.
For public arXiv papers this is usually acceptable, but formulas from a private or unpublished paper may leave the local machine.
When local LaTeX dependencies are unavailable, formula source is sent to the third-party Codecogs rendering service.
echo "🌐 Falling back to online API (codecogs.com)"
...
local url="https://latex.codecogs.com/png.image?${encoded}"
...
resp = urllib.request.urlopen(req, timeout=15)Use local LaTeX/offline rendering for private documents, or require an explicit user confirmation before using the Codecogs fallback.
Those agent platforms may continue to expose Papyrus commands after the immediate paper-conversion task.
The skill documents copying adapters into multiple agent platform configuration directories, which can persist tool availability beyond a single Papyrus task.
cp platforms/claude-code/papyrus-skill.md .claude/skills/ cp platforms/codex/papyrus-tool.yaml .codex/tools/ cp platforms/hermes/papyrus-tool.py hermes/tools/ cp platforms/open-code/papyrus-config.yaml .open-code/
Only copy the adapters into trusted projects where you want persistent Papyrus access, and remove them when no longer needed.