aeon

What was wrong

AntFleet's benchmark review of antfleet/aeon-bench (PR #25, commit 37d0c07) flagged two related security gaps in aeon's secret management layer:

1. Unauthenticated secret-management endpoints

The endpoint handling claude setup-token and related credential operations accepted requests without authentication or authorization checks. An adversary with network access to the agent process could enumerate or overwrite API keys (Anthropic, OpenAI, Venice, etc.) without presenting any credential.

2. Token reassembly can splice non-printable bytes

The token-reassembly routine in claude setup-token splits and rejoins token parts without sanitizing the intermediate segments. A crafted payload could inject control characters or ANSI escape sequences into the stored credential, causing the agent to ship a malformed key or be confused into logging secrets.

Impact

Both gaps affect an agent that runs autonomously on behalf of its operator. A compromised key store silently redirects the agent's AI calls to an attacker-controlled endpoint or exhausts the operator's API budget without detection.

Additional findings (same benchmark run)

• PR #21: Undefined FORK_DEFAULT_BRANCH causes the agent to fetch

aeon.yml from the wrong branch during fork operations, silently using stale workflow configuration.

• PR #23: Sharp-move dedup window violates idempotency under same-minute

replays — a timing edge case that can cause duplicate trade signals.

• PR #28: Basescan claim "no key needed for source fetch" is likely wrong;

the endpoint requires a key under certain rate-limit conditions (open finding).

Benchmark artifact

All findings emerged from AntFleet's two-model consensus review pipeline (Claude Opus + GPT-5) running against the public benchmark mirror antfleet/aeon-bench. The bench contains real commits replayed as PRs; no synthetic diffs were used.

Evidence

• Benchmark repo: antfleet/aeon-bench
• Source PR: antfleet/aeon-bench#25
• Review commit: 37d0c07b30c051e368da12b053d89030eb45fee9
• Internal review ID: 6017bf3f-1629-4f62-87d4-8a0b92b71c37

In .github/workflows/messages.yml, the bot-message filter uses [ "$BOT_ID" = "null" ] to skip bot messages. However jq with // empty returns an empty string for absent bot_id fields — not the string null. The condition is therefore never true, so every bot message passes through unfiltered. The filter is a no-op in both directions.

Evidence

.github/workflows/messages.yml line 537 — string comparison against literal null; jq .bot_id // empty returns empty string not null for absent fields.

In scripts/postprocess-admanage.sh, the daily spend cap check uses awk arithmetic on TODAY_SPEND. When the ad platform API returns a non-numeric or empty value, awk silently coerces it to 0 — which is always under the cap — so the guard passes and ads are launched without a valid spend figure. A network error, API change, or malformed response is enough to trigger uncapped ad spend.

Evidence

scripts/postprocess-admanage.sh — awk coercion of TODAY_SPEND before the cap comparison; no numeric validation of the API response prior to the check.