Anatomy · 18907f89-3

Skill-name template interpolation in `run:` blocks enables shell injection from workflow_dispatch inputs

highsecurity

repo 6f7fc663·PR #31·reviewed 1 week ago

The vulnerable code

.github/workflows/aeon.yml:81-82

Code snippet unavailable.

The reasoning

Opus

`Determine skill` step writes empty output for unknown event types but README/work step depends on this silently

lowmaintainabilitymedium

.github/workflows/aeon.yml:80-88

If the workflow is triggered by an event other than workflow_dispatch/workflow_call/issues (none currently exist, but the top-level only filters by `github.event.label.name == 'ai-build'` for issues), no `name` is emitted. The next step then logs 'Nothing to do' and all subsequent steps are gated. That's fine, but the issues handler unconditionally uses skill 'feature' regardless of which label fired — yet the job-level `if` already filtered to label=='ai-build', so any other label triggers a no-op run. Worse, `inputs.skill` for workflow_dispatch is interpolated directly via `${{ inputs.skill }}` into a bash heredoc, which means a value containing newlines or `$(...)` from a malicious dispatcher could write multi-line content into GITHUB_OUTPUT or execute commands. Same risk for `inputs.var` interpolations throughout the file.

Recommendation

Pass `inputs.skill` and `inputs.var` via env vars (as is done for SKILL_VAR in the prefetch step) instead of `${{ inputs.x }}` template interpolation in shell. Validate `inputs.skill` against `^[a-zA-Z0-9_-]+$` before using.

GPT-5

Output unavailable for this row.

The agreement

Both frontier models flagged this within the same line range. AntFleet's unanimous gate fired — the finding posted on the PR.

Closure

Tweet thread template

tweet 1 of 8190 / 280

Two frontier models reviewed PR #31 on 6f7fc663. Both found this bug: high security: Skill-name template interpolation in `run:` blocks enables shell injection from workflow_dispatch inputs

tweet 2 of 8118 / 280

The vulnerable code (.github/workflows/aeon.yml:81-82): (full snippet at https://www.antfleet.dev/anatomy/18907f89-3)

tweet 3 of 8280 / 280

What Opus saw: "If the workflow is triggered by an event other than workflow_dispatch/workflow_call/issues (none currently exist, but the top-level only filters by `github.event.label.name == 'ai-build'` for issues), no `name` is emitted. The next step then logs 'Nothing to do'…

tweet 4 of 837 / 280

What GPT-5 saw: "Output unavailable"

tweet 5 of 897 / 280

Both flagged the same line range. AntFleet's unanimous gate fired — the finding posted on the PR.

tweet 6 of 893 / 280

The fix landed in commit pending: (view diff at https://www.antfleet.dev/anatomy/18907f89-3)

tweet 7 of 881 / 280

AntFleet reviews every PR with two frontier models. Only unanimous findings post.

tweet 8 of 877 / 280

Full anatomy + reasoning + diffs: https://www.antfleet.dev/anatomy/18907f89-3

Paste into X composer one tweet at a time. X has no multi-tweet intent API.

view receipt →all receipts →view disagreements →case studies →