Disagreement · 1ea5c6c4-anthropic-4

crypto-tracker interpolates CoinGecko ID into URL without encoding

solo Opus

repo 6f7fc663·PR #13·reviewed 1 week ago

Opus finding

crypto-tracker interpolates CoinGecko ID into URL without encoding

lowapi-contractmedium

templates/crypto-tracker/SKILL.md:17-25

Less severe than the reddit case because CoinGecko IDs are lowercase ascii slugs by convention, but `${var}` is operator-controlled at runtime and the doc explicitly invites overriding via `${var}`. No validation is done. Minor api-contract gap for the template.

Recommendation

Validate ID matches /^[a-z0-9-]+$/ before interpolation, or quote-encode.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

mediumbug
deploy-watcher Vercel API call uses projectId but interpolates project slug
view anatomy →

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗