AntFleet

Disagreement · c0feb3ca-openai-0

Branch field in skills.lock is ignored when fetching latest commits, causing false results on non-default branches

mismatch
repo 6f7fc663·PR #30·reviewed 1 week ago

Primary finding

Branch field in skills.lock is ignored when fetching latest commits, causing false results on non-default branches

highbughigh
  • skills/skill-update-check/SKILL.md:22
  • skills/skill-update-check/SKILL.md:31-35
  • skills/skill-update-check/SKILL.md:42-44
skills.lock entries include a branch field, but Step 3 queries commits without constraining to that branch. GitHub’s commits API defaults to the repository’s default branch, so skills pinned to a non-default branch (e.g., release, develop) will be compared against the wrong history. This can produce false UP-TO-DATE or CHANGED statuses and incorrect diffs and reports.

Recommendation

In Step 3, filter by the tracked branch: add -f sha={branch} to the gh api repos/{source_repo}/commits call so the latest file commit is resolved on the intended branch. Ensure any subsequent content fetches or comparisons use SHAs from that branch. Also document that branch is required and honored throughout.

Counterpart finding

gh api commits step constructs an invalid query — `-f path=` is not a list-commits filter that gh forwards correctly

mediumbugmedium
  • skills/skill-update-check/SKILL.md:28-33
`gh api` with `-f` sends form fields as POST body parameters by default for non-GET-default endpoints, but the commits endpoint is GET. In practice gh promotes `-f` to a query string for GET endpoints, however the documented form for list-commits requires `path` as a query parameter — using `-f` here actually works, but only because gh treats `-f` as querystring for GET. More importantly, `{source_repo}` and `{source_path}` are placeholder syntax that the skill never substitutes — there is no instruction (e.g., shell variable expansion or jq templating) telling the operator/agent to interpolate values from the lock file entry into the gh command. A literal execution would call `repos/{source_repo}/commits` and 404. Same issue recurs in steps 5 and 6.

Recommendation

Add an explicit substitution step (e.g., `repo=$(jq -r .source_repo <<<"$entry")` and use `"repos/$repo/commits"`), or state clearly that `{source_repo}` etc. are placeholders to be substituted by the agent before invocation.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗