Disagreement · c0feb3ca-anthropic-4

Security scanner path is hardcoded with no fallback location

mismatch

repo 6f7fc663·PR #30·reviewed 1 week ago

Primary finding

Security scanner path is hardcoded with no fallback location

lowmaintainabilityhigh

skills/skill-update-check/SKILL.md:55-59

The skill hardcodes `./skills/skill-security-scan/scan.sh`. This assumes cwd is the repo root. If cron triggers the skill from a different cwd, the relative path silently fails and the skill skips all security checks — undermining the whole purpose of this audit while still claiming UP-TO-DATE/CHANGED statuses are safe.

Recommendation

Resolve path relative to the SKILL.md or repo root (e.g., `git rev-parse --show-toplevel`), and treat 'scanner missing' as WARN, not silent skip, in the notification.

Counterpart finding

“OK” log message is misleading when all results are UNREACHABLE

lowdocs-gaphigh

skills/skill-update-check/SKILL.md:63-66
skills/skill-update-check/SKILL.md:122

UNREACHABLE entries are explicitly not current, yet the prescribed message states “N skills current.” In cases where zero are current and some are unreachable, this is inaccurate and could mask connectivity problems.

Recommendation

Adjust the log to reflect the true state, e.g., “No changes detected — Up-to-date: X, Unreachable: Y,” and reserve “OK: N skills current” for the case where Y=0.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗