← 返回 Skills 市场
crayfish-ai

Paper Management System

作者 crayfish-ai · GitHub ↗ · v2.0.2 · MIT-0
cross-platform ⚠ suspicious
137
总下载
0
收藏
1
当前安装
5
版本数
在 OpenClaw 中安装
/install paper-management-system
功能描述
文献管理系统 - 自动化PDF文献索引、搜索、AI提炼工具。当用户需要管理PDF文献、自动索引、搜索文献、提取元数据时激活。
安全使用建议
This package appears to be a legitimate local PDF management tool, but review these before installing: - Notification command risk: The notification feature executes whatever you configure as notification.cmd using a shell. Do not set this to an untrusted URL fetcher or arbitrary command; prefer 'stdout' or a vetted relay program. Treat notification.cmd as able to exfiltrate summaries if misconfigured. - Declaration mismatches: The scripts assume common system utilities (python3, sqlite3 CLI, md5sum) though the skill metadata lists no required binaries. Ensure these are available and run the tool in a controlled environment (container/VM) first. - OpenAI/Anthropic inconsistency: README/requirements mention OpenAI/Anthropic, but the summarizer code does not call those APIs. If you plan to enable networked AI summarization, inspect/modify code to use the provider safely and only supply an API key after review. - Sanity checks: Inspect config.yaml or env vars before running; back up any important PDF folders and the DB; run the scripts with notification disabled initially to confirm behavior; consider running in an isolated user account or container to limit filesystem access. If you want higher confidence, ask the publisher for a canonical repository or provenance (the skill references a GitHub URL); verify that the packaged code matches that upstream source and that any AI/networking calls are explicit and audited.
功能分析
Type: OpenClaw Skill Name: paper-management-system Version: 2.0.2 The bundle contains a command injection vulnerability in `scripts/ai_summarize.py` within the `send_notification` function, which uses `subprocess.run(shell=True)` to execute a command string constructed from PDF metadata (title and summary). While the tool's logic for indexing and managing academic papers appears legitimate, this implementation flaw allows for potential arbitrary code execution if a processed PDF contains a malicious title or content. No evidence of intentional malice, backdoors, or data exfiltration was found.
能力评估
Purpose & Capability
Name/description match the included scripts: indexing, renaming, full-text extraction, and AI summarization. However, the metadata/README/requirements advertise OpenAI/Anthropic integration while ai_summarize.py contains only local heuristic text-processing (no openai/anthropic calls). Also the package expects system tools (python3, sqlite3 CLI, md5sum) although the skill's declared required binaries list is empty — a mismatch between declared requirements and actual script assumptions.
Instruction Scope
Runtime instructions (cron or manual) run the bundled shell and Python scripts which read/write local PDFs, logs, and an SQLite DB — that's expected. But ai_summarize.py's send_notification executes a configured notification command via shell (subprocess.run(..., shell=True)) and auto_index.sh invokes the sqlite3 CLI and moves/removes files; both allow arbitrary commands if the notification command or environment is misconfigured. The SKILL.md does not sufficiently warn users that notification configuration may run arbitrary shell commands or send data externally.
Install Mechanism
There is no installer that downloads code from external URLs; this is provided as source files and a requirements.txt. Installation is the usual pip install -r requirements.txt per README. No high-risk remote downloads or extract-from-URL steps are present.
Credentials
Environment variables are limited and appropriate for a local paper manager (PAPERMGR_* dirs, DB path, PAPERMGR_AI_ENABLED, OPENAI_API_KEY optional). That said, OPENAI_API_KEY is advertised as an option but the included ai_summarize.py does not use the OpenAI/Anthropic libraries — inconsistent documentation vs code. Also the skill.json marks OPENAI_API_KEY as sensitive (expected) and network access to api.openai.com is listed as optional; requiring that key would be proportionate only if the code actually used it.
Persistence & Privilege
The skill is not always-enabled, requests no platform-level privileges, and does not modify other skills or system-wide settings. It does read/write local filesystem paths under the project (papers, downloads, data, logs) which is expected for its purpose.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install paper-management-system
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /paper-management-system 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.0.2
**Major refactor and reorganization of the paper management system.** - Scripts moved to the scripts/ directory, with naming unified and legacy/duplicate files removed. - Configuration and invocation instructions simplified; now focused on environment variables and scripts. - Features and usage documentation streamlined in SKILL.md and README.md, reflecting the new workflow. - Previous shell scripts and duplicate Python scripts consolidated or deleted. - Changelog, migration, and separate process docs removed for clarity. - Output paths and environment variables more clearly documented.
v2.0.1-beta
paper-management-system 2.0.1-beta - Updated CHANGELOG.md. - No changes to functionality or code.
v2.0.1
v2.0.1: Shell reduction - Python unified entry point, config.py for all modules
v2.0.0
v2.0.0: Engineering overhaul
v1.0.0
Paper Management System v1.0.0 - Initial release of an automated PDF literature management tool. - Features include automatic PDF indexing, metadata extraction, full-text retrieval, intelligent search, and normative file renaming. - Supports AI-based summarization of research background, methods, results, and conclusions. - New literature notification via Feishu integration (requires feishu-relay). - Cron-based scheduled scanning and comprehensive command-line usage provided.
元数据
Slug paper-management-system
版本 2.0.2
许可证 MIT-0
累计安装 1
当前安装数 1
历史版本数 5
常见问题

Paper Management System 是什么?

文献管理系统 - 自动化PDF文献索引、搜索、AI提炼工具。当用户需要管理PDF文献、自动索引、搜索文献、提取元数据时激活。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 137 次。

如何安装 Paper Management System?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install paper-management-system」即可一键安装,无需额外配置。

Paper Management System 是免费的吗?

是的,Paper Management System 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Paper Management System 支持哪些平台?

Paper Management System 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Paper Management System?

由 crayfish-ai(@crayfish-ai)开发并维护,当前版本 v2.0.2。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论