AntFleet

Anatomy · e488cbca-1

Security scanner uses PCRE tokens (\s, \b) with grep -E, causing widespread false negatives

highsecurityclosed in 4b9b492
repo 6f7fc663·PR #29·reviewed 1 week ago·closed 1 week ago

The vulnerable code

skills/skill-security-scan/scan.sh:196-196

196    matches=$(grep -nE "$pattern" "$file" 2>/dev/null || true)

The reasoning

Opus

Scanner scans itself and self-flags HIGH due to pattern strings, producing false positives on --all

mediumbughigh
  • skills/skill-security-scan/scan.sh:79-85
  • skills/skill-security-scan/SKILL.md:1-60
When run with --all, scan.sh finds skills/skill-security-scan/SKILL.md and scans it. That SKILL.md contains literal strings like "ignore previous instructions", "you are now...", "rm -rf", "git push --force", and "curl/wget" exfiltration discussions which match HIGH and MEDIUM patterns (e.g. '[Ii]gnore\s+(all\s+)?previous\s+instructions', '[Yy]ou\s+are\s+now\s+', 'rm\s+-rf\s+\*', 'git\s+push\s+--force'). As a result, the skill that defines the scan will FAIL its own scan, causing the orchestrator (per SKILL.md step 6) to notify and exit 1 even when nothing is wrong. There is no allowlist/self-skip and no trusted-source filtering actually applied in scan.sh (TRUSTED_OWNERS/TRUSTED_REPOS are loaded but never consulted).

Recommendation

Either (a) exclude the security-scan skill from --all by default, (b) treat fenced-code/threat-model sections in SKILL.md differently, or (c) actually consult TRUSTED_OWNERS/TRUSTED_REPOS to downgrade self-scan / known sources to format validation as the SKILL.md step 3 promises.

GPT-5

Security scanner uses PCRE tokens (\s, \b) with grep -E, causing widespread false negatives

highsecurityhigh
  • skills/skill-security-scan/scan.sh:196
  • skills/skill-security-scan/scan.sh:81
  • skills/skill-security-scan/scan.sh:97
  • skills/skill-security-scan/scan.sh:106-109
  • skills/skill-security-scan/scan.sh:113-118
  • skills/skill-security-scan/scan.sh:136-141
  • skills/skill-security-scan/scan.sh:144-145
grep -E implements POSIX ERE, which does not support \s (whitespace) or \b (word boundary). These tokens are used throughout HIGH/MEDIUM/LOW patterns, so many intended matches (e.g., "rm -rf /", "curl http://...") will not be detected, producing false negatives and potentially allowing dangerous skills to pass.

Recommendation

Either: (a) rewrite patterns to POSIX ERE using [[:space:]]+, explicit separators, and avoid \b; or (b) switch to grep -P (PCRE) if available, with a runtime check/fallback to POSIX patterns. Example fixes: replace '\s+' with '[[:space:]]+', replace '\b' with '(^|[^[:alnum:]_])' around tokens; audit all patterns accordingly.

The agreement

Both frontier models flagged this within the same line range. AntFleet's unanimous gate fired — the finding posted on the PR. Closed in 4b9b492.

The fix

196    matches=$(grep -nE "$pattern" "$file" 2>/dev/null || true)

Closure

Closed 1 week ago

SHA: 4b9b49251c8c9808bf147d55aa2930352af2e8c0

View closure receipt on GitHub →

Tweet thread template

tweet 1 of 8177 / 280

Two frontier models reviewed PR #29 on 6f7fc663. Both found this bug: high security: Security scanner uses PCRE tokens (\s, \b) with grep -E, causing widespread false negatives

tweet 2 of 8128 / 280

The vulnerable code (skills/skill-security-scan/scan.sh:196-196): (full snippet at https://www.antfleet.dev/anatomy/e488cbca-1)

tweet 3 of 8280 / 280

What Opus saw: "When run with --all, scan.sh finds skills/skill-security-scan/SKILL.md and scans it. That SKILL.md contains literal strings like "ignore previous instructions", "you are now...", "rm -rf", "git push --force", and "curl/wget" exfiltration discussions which match …

tweet 4 of 8280 / 280

What GPT-5 saw: "grep -E implements POSIX ERE, which does not support \s (whitespace) or \b (word boundary). These tokens are used throughout HIGH/MEDIUM/LOW patterns, so many intended matches (e.g., "rm -rf /", "curl http://...") will not be detected, producing false negatives…

tweet 5 of 897 / 280

Both flagged the same line range. AntFleet's unanimous gate fired — the finding posted on the PR.

tweet 6 of 893 / 280

The fix landed in commit 4b9b492: (view diff at https://www.antfleet.dev/anatomy/e488cbca-1)

tweet 7 of 881 / 280

AntFleet reviews every PR with two frontier models. Only unanimous findings post.

tweet 8 of 877 / 280

Full anatomy + reasoning + diffs: https://www.antfleet.dev/anatomy/e488cbca-1

Paste into X composer one tweet at a time. X has no multi-tweet intent API.

view receipt →all receipts →view disagreements →case studies →