Back to skill

Security audit

Leanstral Formal Verification

Security checks across malware telemetry and agentic risk

Overview

This is a mostly coherent Lean/Mistral verification guide, but it overstates safety around compiling AI-generated Lean files on the user's machine.

Install only if you are comfortable sending chosen theorem statements and code to Mistral. Use a dedicated API key, remove secrets and proprietary details from prompts, review generated theorem statements, add explicit sorry/admit rejection yourself, and run generated Lean builds in a disposable project or sandbox.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

External Transmission

Medium
Category
Data Exfiltration
Content
The primary way to use this skill: call the Mistral API directly.

```bash
curl -X POST "https://api.mistral.ai/v1/chat/completions" \
  -H "Authorization: Bearer $MISTRAL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
95% confidence
Finding
curl -X POST "https://api.mistral.ai/v1/chat/completions" \ -H "Authorization: Bearer $MISTRAL_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
for i in 1 2 3; do
  curl -s -X POST "https://api.mistral.ai/v1/chat/completions" \
    -H "Authorization: Bearer $MISTRAL_API_KEY" \
    -H "Content-Type: application/json" \
    -d "{\"model\":\"labs-leanstral-2603\",\"temperature\":1.0,\"max_tokens\":32000,\"messages\":[{\"role\":\"user\",\"content\":\"$(cat proof_request.txt | jq -Rs .)\"}]}" \
Confidence
95% confidence
Finding
curl -s -X POST "https://api.mistral.ai/v1/chat/completions" \ -H "Authorization: Bearer $MISTRAL_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
The primary way to use this skill: call the Mistral API directly.

```bash
curl -X POST "https://api.mistral.ai/v1/chat/completions" \
  -H "Authorization: Bearer $MISTRAL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
95% confidence
Finding
https://api.mistral.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
client = OpenAI(
    api_key="***",
    base_url="https://api.mistral.ai/v1"
)

response = client.chat.completions.create(
Confidence
90% confidence
Finding
https://api.mistral.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
for i in 1 2 3; do
  curl -s -X POST "https://api.mistral.ai/v1/chat/completions" \
    -H "Authorization: Bearer $MISTRAL_API_KEY" \
    -H "Content-Type: application/json" \
    -d "{\"model\":\"labs-leanstral-2603\",\"temperature\":1.0,\"max_tokens\":32000,\"messages\":[{\"role\":\"user\",\"content\":\"$(cat proof_request.txt | jq -Rs .)\"}]}" \
Confidence
95% confidence
Finding
https://api.mistral.ai/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.