As soon as you take a paper wallet key to an online machine, you can consider it compromised, this is why it is recommended to use a paper wallet only once and transfer the rest of the balance to the next unused one, if you still persist on using just one cold wallet then you need to make transactions online and sign them offline, which would require you to run a watch only wallet and that requires a master public key.
Can we consider the paper wallet as compromised even after taking all the precautions mentioned in my description.
(1) Using a dedicated machine with no writable media
(2) Using TAILS - clean Linux OS with no malware
(3) Not using the persistance feature of TAILS
(4) No connection to any LAN
The private key will be written to the RAM, since the home drive of the user will exist in RAM only, by using a password we ensure that what gets written to RAM is the encrypted pasword.