AntFleet

Disagreement · b83a0cbc-anthropic-1

Trusted-author list inconsistency: SKILL.md hardcodes 'aeonframework' and 'aaronjmars' but watched-repos.md is supposed to be the source of truth

solo Opus
repo 6f7fc663·PR #7·reviewed 1 week ago

Opus finding

Trusted-author list inconsistency: SKILL.md hardcodes 'aeonframework' and 'aaronjmars' but watched-repos.md is supposed to be the source of truth

lowdocs-gapmedium
  • skills/pr-triage/SKILL.md:13-17
The skill states (in Constraints) 'Trusted-author allowlist is the single source of truth for internal PRs', yet two logins are hardcoded outside the file. A forked fleet running this skill under a different owner will silently treat 'aaronjmars' and 'aeonframework' as trusted, opening a class of accidental trust for any PR opened by those GitHub users in unrelated forks.

Recommendation

Remove the hardcoded names and require Trusted Authors to live only in memory/watched-repos.md, or scope the hardcoded names to the owning org only.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗