ClawHub
Back to skill
v1.2.0

Overleaf

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:21 AM.

Analysis

This Overleaf skill is coherent, but it asks the user to grant browser-cookie/keychain access and includes account-changing workflows that should be reviewed carefully before use.

GuidanceReview this skill before installing. It is not clearly malicious, but it depends on an external CLI with browser-cookie/keychain access and can write, delete, download, and accept invitations in your Overleaf account. Use a pinned and verified pyoverleaf version, grant keychain access only if you accept the risk, and require explicit confirmation for any project write, removal, or invitation acceptance.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
The agent can accept Overleaf project invitations programmatically ... no manual clicking required.

The invite workflow uses authenticated browser cookies to change account/project state, and the provided code pattern iterates through pending invites rather than requiring an explicit confirmed target by default.

User impactAn agent following these instructions could accept unintended project invitations or perform Overleaf project changes with the user's account authority.
RecommendationRequire explicit user confirmation and a specific project URL or ID before accepting invites, writing files, or removing files; list pending changes first and avoid all-invite or bulk mutation defaults.
Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
SKILL.md
pyoverleaf (`pipx install pyoverleaf`) ... We have audited pyoverleaf v0.1.7 and found it safe.

The install command does not pin the package to the audited version, while the package is expected to handle browser cookies and authenticated Overleaf operations.

User impactA newer or compromised package version could receive the same cookie/keychain access and project mutation authority.
RecommendationPin the dependency to a reviewed version, verify the package source before installing, and document the expected version in the install requirements.
Human-Agent Trust Exploitation
SeverityLowConfidenceMediumStatusNote
SKILL.md
We have audited pyoverleaf v0.1.7 and found it safe.

The artifact provides a broad safety assurance without including audit evidence, and the recommended install path is not pinned to that audited version.

User impactUsers may over-trust the dependency and grant sensitive browser-cookie access without independently verifying the installed version.
RecommendationTreat the safety statement as informational only; verify the package and version yourself before granting persistent browser/keychain access.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
pyoverleaf needs "Always Allow" keychain access to read browser cookies. This grants the tool access to your browser's cookie storage.

The skill relies on local browser session cookies and keychain access rather than a scoped Overleaf credential, giving the third-party CLI access to sensitive authentication material.

User impactThe CLI can act as the user's logged-in Overleaf account and may receive broader browser-cookie access than a single project-specific integration would need.
RecommendationOnly grant this access if you trust the exact pyoverleaf version and understand the browser-cookie implications; consider revoking keychain permission after use and prefer scoped credentials if available.