Trust Assessment
overleaf received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 2 critical, 4 high, 0 medium, and 0 low severity. Key findings include Excessive Permissions: Browser Cookie Access, Supply Chain Risk: Unpinned Dependency, Command Injection: Zip Slip Vulnerability.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Excessive Permissions: Browser Cookie Access The `pyoverleaf` tool explicitly requires 'Always Allow' keychain access to read browser cookies for authentication. This grants the tool broad and persistent access to sensitive user authentication tokens, posing a significant risk for credential harvesting and unauthorized access to Overleaf projects and potentially other web services if cookies are compromised. Avoid tools that require direct access to browser cookie storage. If unavoidable, ensure strict isolation and user consent for each access. Consider alternative authentication methods like API tokens or OAuth that do not expose browser session cookies. | LLM | SKILL.md:15 | |
| CRITICAL | Command Injection: Unsanitized User Input in Shell Script The `scripts/sync-to-overleaf.sh` script directly uses user-provided arguments (`$1` and `$2`) as `OVERLEAF_PATH` and `LOCAL_FILE` within a shell command: `cat "$LOCAL_FILE" | pyoverleaf write "$OVERLEAF_PATH"`. If `$OVERLEAF_PATH` contains shell metacharacters (e.g., `; rm -rf /`), it can lead to arbitrary command execution on the host system. Sanitize all user-provided input before using it in shell commands. For `OVERLEAF_PATH`, ensure it only contains valid path characters and does not include shell metacharacters. Consider using a safer method to pass arguments to `pyoverleaf` that avoids direct shell interpolation, or escape the arguments rigorously. | LLM | scripts/sync-to-overleaf.sh:19 | |
| HIGH | Supply Chain Risk: Unpinned Dependency The skill instructs `pipx install pyoverleaf` without specifying a version. While the skill mentions an audit of `v0.1.7`, installing without a pinned version (e.g., `pyoverleaf==0.1.7`) allows for the installation of any future version, including potentially malicious or compromised updates, introducing a supply chain risk. Pin the dependency to a specific, audited version (e.g., `pipx install pyoverleaf==0.1.7`) to prevent unexpected or malicious updates. Regularly review and update dependencies. | LLM | SKILL.md:10 | |
| HIGH | Command Injection: Zip Slip Vulnerability The workflow instructs the agent to `unzip` a downloaded project file (`/tmp/latest.zip`) into `/tmp/latest`. If the downloaded zip file is untrusted or contains malicious path traversals (e.g., `../../etc/passwd`), the `unzip` command could write files to arbitrary locations on the filesystem, leading to command injection, data exfiltration, or system compromise. When unzipping untrusted archives, use a library or tool that explicitly mitigates zip slip vulnerabilities by sanitizing paths or extracting only into a designated, isolated directory. Avoid using `unzip` directly with untrusted input. | LLM | SKILL.md:59 | |
| HIGH | Data Exfiltration: Arbitrary Local File Upload to External Service The `scripts/sync-to-overleaf.sh` script allows an agent to upload any specified local file (`$LOCAL_FILE`) to any specified path on Overleaf (`$OVERLEAF_PATH`). This capability, if misused by a malicious user, could lead to the exfiltration of sensitive local files by uploading them to an Overleaf project accessible to the attacker. Restrict the types and locations of files that can be uploaded. Implement strict access controls and require explicit user confirmation for uploads, especially for files outside a designated working directory. Log all upload activities for auditing. | LLM | scripts/sync-to-overleaf.sh:19 | |
| HIGH | Excessive Permissions: Policy Violation for Pushing to Overleaf The `SKILL.md` explicitly states a policy: '❌ 禁止自行推送到 Overleaf' (Forbidden to push to Overleaf independently) and '⚠️ 推送需要 Eason 明確授權,每次授權只能推一次' (Push requires explicit authorization from Eason, only one push per authorization). However, the `scripts/sync-to-overleaf.sh` script provides a direct mechanism for pushing local files to Overleaf, which, if executed by the agent based on user input, directly violates this security policy. Ensure that the agent's execution environment strictly enforces the stated policies. The `sync-to-overleaf.sh` script should only be callable under conditions that satisfy the 'explicit authorization' requirement, or its functionality should be removed if independent pushes are truly forbidden. Implement robust checks within the agent's logic to prevent unauthorized pushes. | LLM | SKILL.md:96 |
Scan History
Embed Code
[](https://skillshield.io/report/61c1187ac9bac2c1)
Powered by SkillShield