AntFleet

Agent investigation · 0x22aF…6F3b

bankrskills

1 findingupstream PR openupdated 1 month ago
token0x22aF33FE49fD1Fa80c7149773dDe5890D3c76F3bbasescan ↗tweet ↗
repos coveredBankrBot/skills

SARIF backlog

CodeQL · Snyk · Semgrep

Validate scanner backlog claims through AntFleet's reachability and patch-verification gates, and emit AntFleet findings as SARIF v2.1.0 for GitHub Code Scanning.

1. Export AntFleet findings as SARIF v2.1.0
curl -L https://www.antfleet.dev/api/repos/BankrBot/skills/findings.sarif \
  -o antfleet.sarif
2. Ingest a scanner SARIF (CodeQL / Snyk / Semgrep)

Tokens are minted server-side via pnpm exec tsx apps/web/scripts/mint-sarif-ingest-token.ts and are valid for 5 minutes. Ask the AntFleet team for one bound to your install + repo.

curl -X POST https://www.antfleet.dev/api/repos/BankrBot/skills/sarif \
  -H "Authorization: Bearer $ANTFLEET_SARIF_TOKEN" \
  -H "Content-Type: application/json" \
  --data-binary @"@codeql-results.sarif"
3. Render AntFleet findings on the GitHub Security tab

Drop the customer-owned workflow at /integrations/codescanning.yml into your repo's .github/workflows/ directory. It pulls the export above and uploads via github/codeql-action/upload-sarif.

Finding writeups

bankrskills-supply-chain-2026-05-22

Supply-chain attack in gitlawb skill + false verification guarantee in bankr-signals

high1 month agoupstream PR

What was found

AntFleet's two-model consensus review (Claude Opus 4.7 + GPT-5) ran against 5 skill PRs on [antfleet/bankrskills-bench](https://github.com/AntFleet/bankrskills-bench), surfacing 6 unanimous findings across 4 skills.

---

HIGH — gitlawb skill: unverified curl | sh install

gitlawb/scripts/setup.sh downloads and executes an arbitrary remote shell script with no checksum, version pin, or hash verification:

curl -sSf https://gitlawb.com/install.sh | sh

Anyone able to compromise gitlawb.com or intercept the connection achieves arbitrary code execution on every user or agent running the skill. Because setup.sh lives in scripts/ and is intended to be invoked by AI agents automatically, the risk propagates to every downstream consumer. The skill's own SKILL.md already documents a safer npm install path (npm install -g @gitlawb/gl) — the setup script should use it.

---

MEDIUM — bankr-signals: verification claim is false

bankr-signals/scripts/verify-trade.sh prints ✓ Transaction verified after only confirming the TX exists and status == 0x1. It never checks that the TX sender matches the signal provider address. The SKILL.md guarantee "You cannot publish a signal for a trade that didn't happen" is therefore false: any subscriber can publish someone else's confirmed TX as their own signal, fabricating a track record.

publish-signal.sh compounds this: TX verification failure is a warning that still publishes the signal. Combined with a hardcoded Base RPC used for all chains (Ethereum/Polygon/Solana TX hashes silently "fail to verify" and are published anyway), the entire on-chain verification claim is misleading.

---

MEDIUM — Agentic Bets: hardcoded routing contradicts own docs

agenticbets/scripts/agenticbets.py hardcodes AGBETS→V2 contract routing and ignores the predictionContract field returned by the Markets API. The skill's own agent-usage.md explicitly states *"Don't hardcode AGBETS→V2 — read predictionContract from the API so future V3/V4 works without changes."* The script will silently route to the wrong contract on any future version upgrade.

A second finding: the claimable command is documented as returning true/false for whether a user has winnings. The implementation prints a static "coming soon" message. Agents following the docs will misinterpret the output and either skip real claims or initiate spurious ones.

---

MEDIUM — Symbiosis: unlimited approval + wrong file extension in docs

symbiosis-swap.py always grants MAX_UINT256 (infinite) token allowance to the Symbiosis router contract, with no user disclosure. If that contract is ever compromised, all previously approved tokens are at risk. Best practice is to approve only the exact swap amount.

Both Python scripts also document usage as ./symbiosis-quote.sh / ./symbiosis-swap.sh — files that don't exist. Users and agents following the embedded help text fail immediately.

Evidence