Is aloth/overleaf-skill safe?

https://github.com/openclaw/skills/tree/main/skills/aloth/overleaf-skill

92
SAFE

This skill is a benign documentation wrapper for the olcli CLI tool that manages Overleaf LaTeX projects. It contains no prompt injection, no data exfiltration code, no malicious scripts, and triggered no anomalous behavior during installation. The primary risk is the supply chain trust placed in the third-party Homebrew tap and npm package, plus the inherent credential exposure from session cookie-based authentication stored in plaintext.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 92/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (6)

MEDIUM Third-party Homebrew tap and npm package installation -15

The skill instructs installation from brew tap aloth/tap and npm package @aloth/olcli. These are external code sources maintained by the skill author. The contents of these packages are not auditable within this skill audit and represent a supply chain trust dependency.

LOW Session cookie passed as CLI argument -8

The olcli auth --cookie command passes a session cookie as a CLI argument, which could appear in shell history, process listings (ps), and audit logs. The cookie is also stored in plaintext in .olauth or ~/.config/olcli-nodejs/config.json, making it accessible to other skills or processes.

LOW Agent instructed to handle sensitive session credentials -5

The skill instructs the agent to guide users through extracting browser session cookies and passing them to CLI commands. While not a prompt injection, this normalizes handling sensitive auth tokens in the agent conversation, which could be exploited by a follow-up social engineering attack or malicious skill.

LOW File sync commands could be abused in skill combination attacks -10

Commands like olcli upload and olcli push allow sending local files to Overleaf. If a malicious skill gains access to the stored session cookie (.olauth), it could silently upload sensitive local files to the user's Overleaf project as a covert exfiltration channel.

INFO Clean installation with no anomalous behavior 0

Git clone from GitHub was the only external network activity attributable to the skill installation. No unexpected processes, no firewall-blocked connections, no filesystem changes outside expected paths.

INFO All honeypot files untouched 0

No canary files were accessed or modified during installation, confirming no credential harvesting behavior.