Disagreement · b6cf244f-anthropic-2

subscribe.sh does not enforce config.json risk.max_providers cap

solo Opus

repo a16d2030·PR #5·reviewed 1 week ago

Opus finding

subscribe.sh does not enforce config.json risk.max_providers cap

lowapi-contractmedium

bankr-signals/scripts/subscribe.sh:30-50
bankr-signals/SKILL.md:195-205

SKILL.md documents a max_providers risk knob in config.json. subscribe.sh never reads or enforces it, so the user-advertised cap is silent: users believe they have a guardrail they don't.

Recommendation

Either remove max_providers from docs or have subscribe.sh read it and refuse to add a subscription past the limit.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

mediumdocs-gap
verify-trade.sh prints “verified” without checking provider/sender match — README claim is misleading
view anatomy →

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗