AntFleet

Disagreement · b6cf244f-anthropic-9

publish-signal.sh assumes ENTRY_PRICE/AMOUNT_PCT are valid JSON numbers — passes via --argjson without validation

mismatch
repo a16d2030·PR #5·reviewed 1 week ago

Primary finding

publish-signal.sh assumes ENTRY_PRICE/AMOUNT_PCT are valid JSON numbers — passes via --argjson without validation

mediumapi-contracthigh
  • bankr-signals/scripts/publish-signal.sh:100-130
If ENTRY_PRICE or AMOUNT_PCT is empty, contains commas (e.g. '2,750.50'), or contains arbitrary characters, jq's --argjson will fail with an opaque error, or worse, accept attacker-controlled JSON fragments (e.g. ENTRY_PRICE='1, "injected":true') merging extra keys into the signal object. The integration.md example pulls entry-price from a shell pipeline with `.result.price // 0`, which can legitimately become an empty string if the bankr output schema drifts — leading to a confusing failure.

Recommendation

Validate numeric fields with a regex (e.g. `^-?[0-9]+(\.[0-9]+)?$`) before passing to jq. Same for AMOUNT_PCT, STOP_LOSS_PCT, TAKE_PROFIT_PCT, CONFIDENCE.

Counterpart finding

Fallback dependency to ~/clawd/scripts/with-secrets.sh is undocumented and likely absent

lowmaintainabilityhigh
  • bankr-signals/scripts/publish-signal.sh:131-133
The fallback references a hardcoded path (~/clawd/scripts/with-secrets.sh) that is not declared in SKILL metadata or installation instructions. On most systems this path will not exist, causing silent failure paths or confusion.

Recommendation

- Remove the fallback and require NET_PRIVATE_KEY (or BOTCHAN_PRIVATE_KEY) to be set, with a clear error message, or vendor the helper script into this repo and reference it relative to SCRIPT_DIR. - Document any required external helper scripts in SKILL.md metadata ‘requires’.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗