AntFleet

Disagreement · 1ea5c6c4-anthropic-6

code-reviewer comment body shell-interpolates LLM-generated text into gh comment

solo Opus
repo 6f7fc663·PR #13·reviewed 1 week ago

Opus finding

code-reviewer comment body shell-interpolates LLM-generated text into gh comment

mediumsecuritymedium
  • templates/code-reviewer/SKILL.md:47-52
The template shows the comment body as a double-quoted shell string with placeholders for model-generated content ([verdict text], [bullet 1]). Operators following this pattern will substitute LLM output directly into a double-quoted bash string, exposing them to command substitution / variable expansion ($(rm -rf ~), `…`) if the model is prompted to include such tokens — a known prompt-injection class issue (PR titles are operator-controlled and bypass review). gh CLI supports `--body-file -` with stdin or a temp file; the template should model that safer pattern given it is the canonical reference.

Recommendation

Recommend `gh pr comment --body-file body.md` (write the body to a file with no shell expansion) instead of inlined `--body "…"` interpolation.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗