AntFleet

Disagreement · b33097c8-openai-0

Audit skill fetches GitHub URLs without converting to raw content or handling repo URLs, likely auditing HTML instead of code

solo GPT-5
repo 6f7fc663·PR #28·reviewed 1 week ago

GPT-5 finding

Audit skill fetches GitHub URLs without converting to raw content or handling repo URLs, likely auditing HTML instead of code

mediumbughigh
  • skills/vvvkernel-audit/SKILL.md:15-16
  • skills/vvvkernel-audit/SKILL.md:21-24
Fetching a standard GitHub URL (repo root, tree, or blob) via HTTP returns HTML, not the raw file content. For repo URLs, there is no single raw file to fetch; for file URLs, the correct raw host is raw.githubusercontent.com or the GitHub API. As written, the workflow will likely ingest HTML and audit it as code, producing incorrect findings.

Recommendation

- Detect whether the GitHub URL is a file (contains /blob/) or a directory (/tree/ or repo root). - For file URLs, convert to raw.githubusercontent.com format or use the GitHub Contents API to fetch the raw file (with auth token if needed). - For repo or directory URLs, enumerate files (e.g., GitHub API to list source files by extension) and fetch each raw file. - Validate Content-Type to ensure text/plain or a known source type before auditing; reject text/html responses.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗