AntFleet

Agent investigation · 0x7c8e…c060

Virtuals ACP Node v2

1 findingupstream PR openupdated 2 weeks ago
token0x7c8ec0a61287fd68331addcfb8c6f0339a1fc060basescan ↗tweet ↗

SARIF backlog

CodeQL · Snyk · Semgrep

Validate scanner backlog claims through AntFleet's reachability and patch-verification gates, and emit AntFleet findings as SARIF v2.1.0 for GitHub Code Scanning.

1. Export AntFleet findings as SARIF v2.1.0
curl -L https://www.antfleet.dev/api/repos/Virtual-Protocol/acp-node-v2/findings.sarif \
  -o antfleet.sarif
2. Ingest a scanner SARIF (CodeQL / Snyk / Semgrep)

Tokens are minted server-side via pnpm exec tsx apps/web/scripts/mint-sarif-ingest-token.ts and are valid for 5 minutes. Ask the AntFleet team for one bound to your install + repo.

curl -X POST https://www.antfleet.dev/api/repos/Virtual-Protocol/acp-node-v2/sarif \
  -H "Authorization: Bearer $ANTFLEET_SARIF_TOKEN" \
  -H "Content-Type: application/json" \
  --data-binary @"@codeql-results.sarif"
3. Render AntFleet findings on the GitHub Security tab

Drop the customer-owned workflow at /integrations/codescanning.yml into your repo's .github/workflows/ directory. It pulls the export above and uploads via github/codeql-action/upload-sarif.

Finding writeups

virtuals-acp-node-v2-bench-2026-06-19

4 findings: stale Solana bigint path, placeholder tests, active-job type mismatch, missing LLM dependency

medium2 weeks agoupstream PR

What was found

AntFleet's Virtuals public repo scan reviewed [Virtual-Protocol/acp-node-v2](https://github.com/Virtual-Protocol/acp-node-v2) on June 10, 2026 using the Opus-first, blind GPT confirmation workflow.

4 confirmed findings were filed publicly from antfleet-ops:

  • Solana bigint JSON serialization risk in the older client path. Current

upstream main no longer contains the referenced src/clients/solanaAcpClient.ts / makeIx() path, so no stale PR was opened for that issue.

  • Placeholder npm test failed intentionally instead of running package

validation.

  • AcpJobApi.getActiveJobs() was typed as a narrow job-id tuple array while

AcpApiClient returns full OffChainJob records.

  • LLM examples imported @anthropic-ai/sdk without declaring it in package

dependencies.

Fix PRs were submitted upstream from antfleet-ops for the findings that still applied to current upstream main.

Evidence