review-overleaf

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches Overleaf review threads via the overleaf_reviews.py call in Step 4 (producing message objects with user-generated content) and then the Edit loop in Step 5 reads those messages and uses them to propose and apply edits, so untrusted third-party comments can influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill runs a local script at runtime that fetches Overleaf review threads from https://www.overleaf.com/project/, and those fetched comments are parsed and injected into the agent's edit loop (directly controlling prompts/instructions), making the Overleaf URL a required runtime external dependency.