AntFleet

Anatomy · 219fd253-0

Insecure install method using curl | sh without integrity verification

highsecurityclosed in 24c537d
repo a16d2030·PR #3·reviewed 1 week ago·closed 1 week ago

The vulnerable code

gitlawb/scripts/setup.sh:11-13

11  echo "Installing gl CLI..."
12  curl -sSf https://gitlawb.com/install.sh | sh
13else

The reasoning

Opus

setup.sh pipes remote install script to shell without verification

highsecurityhigh
  • gitlawb/scripts/setup.sh:11-13
The setup script downloads and executes an arbitrary remote shell script with no checksum, signature, or pinned-version verification. Anyone able to MITM or compromise gitlawb.com (or its TLS chain) can achieve arbitrary code execution on every user running setup.sh. Because setup.sh is in `scripts/` and intended to be run by users/agents onboarding to the skill, this propagates the risk to every consumer of the skill. The README documents the same pattern, but inside an automated helper script the risk is materially worse: agents may run setup.sh without the user reading it. At minimum a checksum verification step (download to tempfile, verify sha256, then execute) should be used; ideally prefer the npm or Homebrew install paths which are already documented as alternatives in SKILL.md.

Recommendation

Either (a) replace the curl|sh with `npm install -g @gitlawb/gl` (already listed as the recommended install method in SKILL.md), or (b) download install.sh to a temp file, verify a pinned SHA-256 published out-of-band, and only then execute. Also fail closed if the download fails (currently `set -euo pipefail` will catch curl failures, but the piped `sh` masks the exit code on some shells — use `set -o pipefail` explicitly and check `${PIPESTATUS[@]}`).

GPT-5

Insecure install pipeline via curl | sh without integrity verification

highsecurityhigh
  • gitlawb/SKILL.md:47-49
  • gitlawb/scripts/setup.sh:12
Both the public docs and the setup script instruct or perform a direct remote script execution (curl | sh) over HTTPS with no checksum, signature, or pinning. This is a common supply-chain risk: a compromised endpoint or transit MITM could lead to arbitrary code execution. While TLS reduces risk, best practice is to verify integrity/signature or use a package manager.

Recommendation

- Prefer package managers (npm or Homebrew) already listed in SKILL.md. - If retaining a shell installer, download to disk and verify integrity before execution (e.g., pinned SHA-256 or a detached signature with a published key), then execute the verified file. Example flow: curl -fsSL -o /tmp/gl-install.sh <url>; sha256sum -c <expected_sum_file>; sh /tmp/gl-install.sh. - In setup.sh, branch to npm install -g @gitlawb/gl or brew install gl when available, and only fall back to a verified installer. - Document the verification step in SKILL.md to guide users to safer installation.

The agreement

Both frontier models flagged this within the same line range. AntFleet's unanimous gate fired — the finding posted on the PR. Closed in 24c537d.

The fix

11  echo "Installing gl CLI..."
12  curl -sSf https://gitlawb.com/install.sh | sh
13else

Closure

Closed 1 week ago

SHA: 24c537d16fd561f3417259090b34da1e2ba82136

View closure receipt on GitHub →

Tweet thread template

tweet 1 of 8155 / 280

Two frontier models reviewed PR #3 on a16d2030. Both found this bug: high security: Insecure install method using curl | sh without integrity verification

tweet 2 of 8116 / 280

The vulnerable code (gitlawb/scripts/setup.sh:11-13): (full snippet at https://www.antfleet.dev/anatomy/219fd253-0)

tweet 3 of 8280 / 280

What Opus saw: "The setup script downloads and executes an arbitrary remote shell script with no checksum, signature, or pinned-version verification. Anyone able to MITM or compromise gitlawb.com (or its TLS chain) can achieve arbitrary code execution on every user running setu…

tweet 4 of 8280 / 280

What GPT-5 saw: "Both the public docs and the setup script instruct or perform a direct remote script execution (curl | sh) over HTTPS with no checksum, signature, or pinning. This is a common supply-chain risk: a compromised endpoint or transit MITM could lead to arbitrary cod…

tweet 5 of 897 / 280

Both flagged the same line range. AntFleet's unanimous gate fired — the finding posted on the PR.

tweet 6 of 893 / 280

The fix landed in commit 24c537d: (view diff at https://www.antfleet.dev/anatomy/219fd253-0)

tweet 7 of 881 / 280

AntFleet reviews every PR with two frontier models. Only unanimous findings post.

tweet 8 of 877 / 280

Full anatomy + reasoning + diffs: https://www.antfleet.dev/anatomy/219fd253-0

Paste into X composer one tweet at a time. X has no multi-tweet intent API.

view receipt →all receipts →view disagreements →case studies →