Overleaf
PassAudited by ClawScan on May 10, 2026.
Overview
This looks like a legitimate Overleaf helper, but using it means installing an external CLI and giving it an Overleaf session cookie that can change your projects.
This skill appears coherent for managing Overleaf projects. Before installing, make sure you trust the external olcli package, understand that your Overleaf session cookie can access your projects, keep credential files out of repositories, and review changes before running push or sync.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the cookie or local credential file is exposed, someone could access or modify the user's Overleaf projects.
The skill uses an Overleaf browser session cookie and stores or reads it from local credential locations. This is purpose-aligned for Overleaf access, but the cookie can grant account-level project access and should be treated as sensitive.
olcli uses session cookie authentication via `overleaf_session2`... Credentials are checked in order: 1. `OVERLEAF_SESSION` environment variable 2. `.olauth` file in current directory 3. Global config: `~/.config/olcli-nodejs/config.json`
Only use this with a trusted olcli install, keep `.olauth` out of shared folders and git, use `olcli logout` when done, and rotate/log out sessions if the cookie may have leaked.
Running push, sync, or upload against the wrong project or directory could overwrite or publish unintended paper changes to Overleaf.
The skill documents commands that can upload or synchronize local files into Overleaf projects. These actions are coherent with the skill's purpose and are shown as explicit user workflows, but they can change project content.
`olcli push # Upload changes only` `olcli sync # Bidirectional sync (pull + push)` `olcli upload figure1.png "My Paper"`
Review the target project and local changes before syncing, use `olcli push --dry-run` where possible, and be cautious with force-overwrite options.
The behavior ultimately depends on the externally installed olcli package and whatever version the package manager installs.
The install helper fetches an external CLI through Homebrew or npm without a pinned version in the provided artifacts. This is expected for the skill's purpose, but the reviewed package does not include the olcli implementation itself.
brew tap aloth/tap brew install olcli ... npm install -g @aloth/olcli
Install from a trusted source, consider pinning or auditing the olcli package, and avoid running the installer automatically in sensitive environments.