AntFleet

Disagreement · 24997e37-anthropic-1

Var regex allows leading dot / consecutive dots — accepts invalid GitHub slugs

solo Opus
repo 6f7fc663·PR #12·reviewed 1 week ago

Opus finding

Var regex allows leading dot / consecutive dots — accepts invalid GitHub slugs

lowapi-contractmedium
  • skills/v4-readiness/SKILL.md:113-114
The regex permits values like `./.git/config` segments, `..`, or leading dashes which GitHub does not accept as owner/repo names. While `gh api` would ultimately reject these, the documentation also says `Anything else → log V4_READINESS_BAD_VAR and exit (no notify, no article)`. Strings like `.../...` slip past the validator and then degrade into V4_READINESS_REMOTE_API_ERROR (itself undocumented). Not a security risk because the value is passed to `gh api` as a URL path segment via gh's own handling, but it weakens the BAD_VAR contract.

Recommendation

Tighten the regex to GitHub's actual owner/repo rules (e.g. `^[A-Za-z0-9][A-Za-z0-9-]{0,38}/[A-Za-z0-9._-]{1,100}$` excluding leading `.`/`-`).

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗