The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) due to its core design of processing untrusted inputs and having execution capabilities. \n
Ingestion points: The $ARGUMENTS variable (containing theorem statements and proof outlines) is processed in Step 1 and Step 2 of the workflow. \n
Boundary markers: None. Untrusted input is directly interpolated into file comments and analyzed for code generation without delimiters. \n
Capability inventory: Access to the shell tool (to run lake build) and file tool (to write lean_proof.lean). In Lean 4, the compilation process can execute arbitrary code during elaboration via tactics or the IO monad. \n
Sanitization: No sanitization or validation of the input theorem/outline is performed. \n- [COMMAND_EXECUTION] (MEDIUM): The skill executes lake build via the shell. While this is the intended functionality for a Lean assistant, it executes code derived from untrusted user input, which can be exploited if the user provides malicious Lean code snippets disguised as a theorem.

aristotle-emulator