prove
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Remote Code Execution (HIGH): The skill instructs the installation of 'elan' via
curl https://raw.githubusercontent.com/leanprover/elan/master/elan-init.sh -sSf | sh. Piped execution of remote scripts is a critical attack vector. Since the 'leanprover' organization is not included in the 'Trusted GitHub Organizations' list, this remains a high severity finding. - External Downloads (MEDIUM): The skill downloads the 'Mathlib' library (~2GB) and utilizes external tools such as 'loogle', Nia, and Perplexity, which are unverified third-party dependencies.
- Command Execution (MEDIUM): The skill uses the
Bashtool to run the Lean compiler (lake) and execute dynamically generated Lean files (test_lemmas.lean,proofs/*.lean). While this is the primary purpose of the skill, it involves running logic derived from external sources. - Prompt Injection (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) due to its dependency on untrusted data from web research to design and implement proof scripts. Mandatory Evidence Chain: 1. Ingestion points: untrusted data enters via
WebSearch,WebFetch, andloogle-search(Phase 1). 2. Boundary markers: Absent; no instructions provided to the agent to treat external content as untrusted. 3. Capability inventory: UsesBashandWriteto create and execute code. 4. Sanitization: Absent; search results directly inform the proof structure in the Design and Implement phases.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/leanprover/elan/master/elan-init.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata