Is dayunyan/academic-writer safe?
https://github.com/openclaw/skills/tree/main/skills/dayunyan/academic-writer
This skill contains serious security design flaws that make it dangerous when deployed with an LLM agent that has shell:exec permission. The read_reference and write_latex tools lack all path validation, enabling arbitrary file read and write across the filesystem through standard agent interactions. A locked dependency on the unaudited academic-research-hub skill creates a supply chain vector where crafted BibTeX from that skill could achieve RCE via LaTeX shell escape during PDF compilation. No prompt injection was detected in the SKILL.md itself, no exfiltration was observed during the monitored install, and canary file integrity was maintained; however, the structural vulnerabilities make this skill highly exploitable in production.
Category Scores
Findings (8)
CRITICAL Unrestricted Arbitrary File Read via read_reference -35 ▶
The read_reference tool calls open(file_path, 'r', encoding='utf-8', errors='ignore') with no path validation. Any file accessible to the agent process can be read and injected into LLM context. A single manipulated request — 'read my notes at ~/.aws/credentials' or indirect injection from a malicious companion skill — leaks full credential content.
HIGH Arbitrary File Write Without Path Restriction via write_latex -25 ▶
write_latex_content(filename, content, mode) passes the filename argument directly to open() with no sanitization. An attacker-controlled filename such as '../../.bashrc', '/etc/cron.d/pwn', or '~/.profile' combined with crafted content can create or overwrite any writable file. Combined with mode='a', this enables stealthy incremental modification of existing files.
HIGH LaTeX Shell-Escape RCE via compile_pdf -20 ▶
compile_pdf passes user-controlled LaTeX source through latexmk. If the host LaTeX installation has shell_escape=t in texmf.cnf (common on developer workstations), any \write18{cmd} or \immediate\write18{cmd} directive in the document executes arbitrary shell commands. This is a known LaTeX RCE vector. The -interaction=nonstopmode flag does NOT disable shell escape.
HIGH Unaudited Supply Chain Dependency on academic-research-hub -35 ▶
The .clawhub/lock.json declares academic-research-hub v0.1.0 as a locked dependency. The skill explicitly instructs the agent to delegate citation retrieval to this companion skill and then append the returned BibTeX directly to .bib files using write_latex. If academic-research-hub is malicious or compromised, it can return BibTeX containing \write18{} payloads which this skill will write to disk and execute during the next compile_pdf call.
MEDIUM Arbitrary Directory Traversal via scan_template -15 ▶
scan_template(directory) accepts any path and uses glob.glob(os.path.join(directory, '.tex')) and glob.glob(os.path.join(directory, '.bib')). Passing '~/.ssh' or '/etc' as the directory argument would enumerate and partially expose those files if any had a .tex or .bib extension, or be used to probe directory existence. The function returns up to 800 characters of each matched file's content.
MEDIUM Content Parameter Passed as CLI Argument Enables Indirect Injection -15 ▶
The write_latex tool definition passes {{content}} as a positional argument: writer_tools.py write_latex {{filename}} {{content}} {{mode}}. Python's sys.argv is not a shell — no direct injection. However, the content is written to a .tex file and later compiled by latexmk, making this an effective two-stage injection vector: craft content with LaTeX macros during write, trigger RCE during compile.
LOW Hard-Coded Platform Assumption May Confuse Agent -10 ▶
The SKILL.md installation instructions explicitly reference WSL2 (Ubuntu) and use sudo apt-get. If the agent is running on a non-WSL2 Linux host or macOS, these instructions will either fail or prompt incorrect sudo behavior, potentially confusing the agent into taking unintended privileged actions.
INFO Proprietary License Restricts Redistribution 0 ▶
The skill declares license: Proprietary, which prohibits redistribution and may limit users' legal ability to modify or audit the skill code.