Overleaf
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real Overleaf integration, but it relies on browser-cookie/keychain access and an unpinned external CLI that can modify projects and accept invites, so it needs careful review before use.
Install only if you are comfortable giving pyoverleaf access to browser cookies/keychain data. Prefer a pinned, reviewed pyoverleaf version, use a dedicated browser profile if possible, and require explicit confirmation before uploading, deleting, or accepting any Overleaf invite.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Granting this access could let the external tool act as the logged-in Overleaf user and access browser cookie storage if the tool or dependency is compromised.
The skill depends on local browser session material and durable keychain access, which is broader and more sensitive than a scoped Overleaf API token.
pyoverleaf needs "Always Allow" keychain access to read browser cookies. This grants the tool access to your browser's cookie storage.
Only grant keychain/cookie access if you trust the exact pyoverleaf version; consider a dedicated browser profile or Overleaf account, and revoke permissions when finished.
A changed or compromised pyoverleaf release would receive the same browser-cookie/keychain access needed by this skill.
The install command does not pin v0.1.7 or any hash, so users may install a different latest package version than the one claimed to have been audited.
pyoverleaf (`pipx install pyoverleaf`)... We have audited pyoverleaf v0.1.7 and found it safe.
Pin the dependency to a reviewed version, provide an install spec or lockfile, and avoid relying on an unaudited latest package for cookie-based authentication.
The agent could add projects to the user's Overleaf account or accept the wrong invite if the user request is ambiguous.
The documented invite workflow uses authenticated session requests to accept project invites, and the provided example iterates pending invites rather than requiring explicit confirmation for each one.
The agent can accept Overleaf project invitations programmatically using browser cookies — no manual clicking required.
Require the user to specify the exact project URL or invite, show the project name and inviter, and ask for explicit approval before sending the accept request.
A mistaken project name or file path could change or delete shared LaTeX content.
The documented commands can overwrite or remove files in shared Overleaf projects; this is purpose-aligned but can affect collaborators if used on the wrong path.
cat local.tex | pyoverleaf write "Project Name/main.tex"... pyoverleaf rm "Project Name/old-draft.tex"
Confirm the target project and file path before writes or removals, and rely on Overleaf history/backups for recovery.