overleaf

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs copying the Overleaf session cookie and embedding it directly in a command line (olcli auth --cookie "YOUR_SESSION_COOKIE"), which requires the LLM to include secret values verbatim in generated outputs/commands, creating exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's client (src/client.ts) fetches and parses live pages and Socket.IO payloads from the public Overleaf site (e.g., PROJECT_URL and per-project pages), ingesting user-generated project HTML/meta/script and socket payloads to extract CSRF tokens, project lists, file trees and folder IDs which are then used to drive downloads, uploads, compiles and other actions—so untrusted third-party content is read and can materially influence tool behavior.