Back to skill

Security audit

Overleaf LaTeX

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Overleaf and LaTeX workflow skill, with the main caution being that it asks users to manage local Overleaf credentials carefully.

Use a revocable Overleaf token instead of a password where possible, keep the credential file private, and consider a more secure credential helper than global plaintext git storage. Review the separate Overleaf plugin before installing it, and confirm commits, pushes, merges, or branch deletions before running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs users to store Overleaf credentials or tokens in a plaintext file under the home directory. Even with chmod 600, plaintext secrets can be exposed through backups, logs, misconfigured tooling, endpoint compromise, or accidental disclosure, creating account takeover risk for the Overleaf project and any linked private documents.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.