Disagreement · 18907f89-openai-4

Overbroad secret exposure to AI process and tool sandbox increases exfiltration risk

solo GPT-5

repo 6f7fc663·PR #31·reviewed 1 week ago

GPT-5 finding

Overbroad secret exposure to AI process and tool sandbox increases exfiltration risk

mediumsecuritymedium

.github/workflows/aeon.yml

The Run step injects many secrets (GitHub, messaging, API keys) into the environment used by the LLM tool (claude) while the allowedTools include Bash(curl:*), Bash(git:*), Bash(gh:*). A prompt-compromised or misbehaving agent could exfiltrate credentials not needed for the current skill. Principle of least privilege is not enforced per-skill.

Recommendation

Scope secrets per-skill and per-channel, only exporting those required for the selected skill. Consider: (1) mapping skills to required secrets and conditionally populating env, (2) removing general-purpose curl:* from allowedTools or adding allowlisted destinations, (3) using short-lived GitHub tokens scoped to the repo, (4) masking or gating sensitive operations behind preflight authorization.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗