overleaf
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill installs the
olclitool from an untrusted npm package (@aloth/olcli) and a third-party Homebrew tap (aloth/tap).\n- [REMOTE_CODE_EXECUTION] (HIGH): Thescripts/install.shfile automates the installation of an external binary from an unverified source and immediately executes it (olcli --version), which constitutes a download-and-execute pattern from a non-trusted repository.\n- [PROMPT_INJECTION] (HIGH): The skill creates a significant vulnerability for indirect prompt injection. 1. Ingestion points: External LaTeX source files and compilation logs are pulled into the agent's context from Overleaf viaolcli pull. 2. Boundary markers: There are no delimited boundaries or instructions to ignore embedded commands in the processed data. 3. Capability inventory: The skill can write back to Overleaf projects (olcli push,olcli upload) and manage local files. 4. Sanitization: No sanitization is performed on external content, allowing malicious LaTeX comments to potentially hijack agent logic or exfiltrate data.\n- [COMMAND_EXECUTION] (LOW): Relies on executing theolcliCLI to perform all project management tasks.\n- [CREDENTIALS_UNSAFE] (LOW): Stores sensitive Overleaf session cookies (overleaf_session2) in plaintext in the global config directory (~/.config/olcli-nodejs/config.json).
Recommendations
- AI detected serious security threats
Audit Metadata