Papyrus
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: papyrus Version: 0.2.1 The Papyrus skill bundle contains several shell scripts (build_pdf.sh, render_figures.sh, and render_formulas.sh) that are vulnerable to command injection. These scripts use shell variables directly within Python one-liners (e.g., python3 -c "... '${VAR}' ...") without proper sanitization. This allows for arbitrary Python code execution if a processed LaTeX formula, filename, or URL contains malicious escape characters. While the tool's logic and instructions in SKILL.md and SOP.md appear aligned with its stated purpose of academic paper processing, these vulnerabilities represent a significant security risk in an agentic environment where untrusted paper sources are processed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or hostile archive could overwrite files outside the intended work area or leave a partial/corrupt workspace without the agent noticing.
The skill downloads an external paper archive and extracts it directly into a user-specified directory without validating archive member paths, symlinks, size, or extraction failure.
curl -sL "$SOURCE_URL" -o "$OUTPUT_DIR/source.tar.gz" ... tar -xzf "$OUTPUT_DIR/source.tar.gz" -C "$OUTPUT_DIR" 2>/dev/null || true
Validate archive contents before extraction, reject absolute paths, '..' paths, and unsafe symlinks, extract in a disposable sandbox, and remove the '|| true' so extraction failures stop the workflow.
If a crafted paper or formula file causes hostile formula text to be copied into the workflow, it could alter the Python snippet in the online-render path or trigger unsafe local TeX processing under the user's account.
Formula text taken from formulas.txt is embedded into a TeX document and also interpolated directly into Python source code inside a shell command instead of being passed as data via argv, stdin, or a safely quoted file.
cat > "$tmpdir/formula.tex" << TEXEOF
...
${tex_formula}
...
TEXEOF
...
encoded=$(python3 -c "import urllib.parse; print(urllib.parse.quote('${tex_formula}'))")Pass formula text to Python via stdin/sys.argv or JSON, avoid interpolating untrusted values into python -c strings, sanitize formula names and output paths, and run LaTeX in a sandbox with shell escape disabled.
For public arXiv papers this is usually acceptable, but formulas from a private or unpublished paper may leave the local machine.
When local LaTeX dependencies are unavailable, formula source is sent to the third-party Codecogs rendering service.
echo "🌐 Falling back to online API (codecogs.com)"
...
local url="https://latex.codecogs.com/png.image?${encoded}"
...
resp = urllib.request.urlopen(req, timeout=15)Use local LaTeX/offline rendering for private documents, or require an explicit user confirmation before using the Codecogs fallback.
Those agent platforms may continue to expose Papyrus commands after the immediate paper-conversion task.
The skill documents copying adapters into multiple agent platform configuration directories, which can persist tool availability beyond a single Papyrus task.
cp platforms/claude-code/papyrus-skill.md .claude/skills/ cp platforms/codex/papyrus-tool.yaml .codex/tools/ cp platforms/hermes/papyrus-tool.py hermes/tools/ cp platforms/open-code/papyrus-config.yaml .open-code/
Only copy the adapters into trusted projects where you want persistent Papyrus access, and remove them when no longer needed.