AntFleet

Disagreement · c0feb3ca-anthropic-0

gh api commits step constructs an invalid query — `-f path=` is not a list-commits filter that gh forwards correctly

mismatch
repo 6f7fc663·PR #30·reviewed 1 week ago

Primary finding

gh api commits step constructs an invalid query — `-f path=` is not a list-commits filter that gh forwards correctly

mediumbugmedium
  • skills/skill-update-check/SKILL.md:28-33
`gh api` with `-f` sends form fields as POST body parameters by default for non-GET-default endpoints, but the commits endpoint is GET. In practice gh promotes `-f` to a query string for GET endpoints, however the documented form for list-commits requires `path` as a query parameter — using `-f` here actually works, but only because gh treats `-f` as querystring for GET. More importantly, `{source_repo}` and `{source_path}` are placeholder syntax that the skill never substitutes — there is no instruction (e.g., shell variable expansion or jq templating) telling the operator/agent to interpolate values from the lock file entry into the gh command. A literal execution would call `repos/{source_repo}/commits` and 404. Same issue recurs in steps 5 and 6.

Recommendation

Add an explicit substitution step (e.g., `repo=$(jq -r .source_repo <<<"$entry")` and use `"repos/$repo/commits"`), or state clearly that `{source_repo}` etc. are placeholders to be substituted by the agent before invocation.

Counterpart finding

“current HEAD” wording in Step 5 is misleading; comparison uses latest file commit, not repo HEAD

lowdocs-gaphigh
  • skills/skill-update-check/SKILL.md:40-45
  • skills/skill-update-check/SKILL.md:30-36
current_sha is defined as the latest commit that touched the file, which may differ from the repository HEAD commit if intervening commits didn’t touch the file. Calling it "current HEAD" is inaccurate and can confuse integrators.

Recommendation

Rephrase to “current latest commit for that file” or actually fetch the branch HEAD SHA and use that if a full repo HEAD comparison is intended.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗