ClawHub
Back to skill

Security audit

lean4-theorem-proving

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Lean 4 proof-assistance skill with expected build, search, repair, and optional external lookup workflows, but users should be careful with external searches and generated patches.

Install this as a Lean 4 assistance skill, not as a general automation authority. Use local search first, review any generated patch before applying it, run repair work from version control, and avoid sending private theorem statements or proof states to external search services unless that is acceptable for your project.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The API reference introduces `lean_leanfinder` as an external semantic-search tool even though the earlier documented external tool set does not list it. This kind of documentation/manifest drift can cause operators and users to miss that an additional network-capable capability exists, undermining review, allowlisting, and threat modeling for outbound data flows.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document states that the external tools are limited to a specific set, but later adds another external tool. This inconsistency can mislead users into believing only the listed tools can transmit data externally, which weakens informed consent and security review for a skill that may send proof goals or repository content to third-party services.

Intent-Code Divergence

Low
Confidence
89% confidence
Finding
The shared rate-limit list omits a later-documented external tool, creating inconsistent security expectations around outbound requests. While primarily a documentation flaw, it can contribute to unsafe operational assumptions, incomplete monitoring, and user confusion about which tools contact third-party services.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger description is extremely broad and effectively scopes the skill to almost any Lean 4 interaction. In an agent system, overly broad activation criteria can cause unintended invocation, tool overuse, and context capture in situations where a narrower or more specialized skill should apply.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The guidance explicitly says to use the skill for any Lean 4 development, removing meaningful scope constraints. This increases the chance the skill is invoked by default across broad workflows, which can lead to misrouting, unnecessary automation, and excessive trust in the skill's prescribed process.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The guide instructs users to apply patches and repeatedly build files, which modifies the local working tree, but it does not clearly warn that these commands change repository state. In an agent-skill context, omission of explicit modification warnings can cause unintended edits, dirty git state, or accidental application of generated patches without informed user consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation says external search tools make HTTP requests to third-party services but does not clearly warn that user queries, theorem statements, proof states, or other project-derived text may leave the local environment. In a theorem-proving workflow, proof goals and code fragments may contain proprietary research, unpublished results, or sensitive repository context, so silent off-box transmission is a meaningful confidentiality risk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal