prove
Fail
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill directs the agent to download a script from 'https://raw.githubusercontent.com/leanprover/elan/master/elan-init.sh' and pipe it directly to the shell ('sh'). This method of remote code execution lacks integrity verification and poses a high risk of arbitrary code execution from a source not listed as trusted.\n- [COMMAND_EXECUTION]: The skill utilizes the 'Bash' tool to perform a variety of system-level operations, including prerequisite checks and the execution of the Lean build system, which can be exploited if malicious commands are introduced.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection during the research and implementation phases.\n
- Ingestion points: Untrusted data is ingested from the web using 'WebSearch', 'WebFetch', and 'loogle-search'.\n
- Boundary markers: The skill does not employ boundary markers or instructions to isolate instructions found within external data.\n
- Capability inventory: The agent can execute system commands and modify files, creating a path for malicious data to impact the system environment.\n
- Sanitization: Content from external sources is not sanitized or validated before being used to inform the proof design or the creation of Lean files.\n- [EXTERNAL_DOWNLOADS]: The skill performs large external downloads, specifically the Mathlib library (~2GB), and uses 'curl' to fetch installation scripts from the internet.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/leanprover/elan/master/elan-init.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata