Disagreement · cf4e74ac-anthropic-5

API key written into request headers but config file permissions never checked; key may leak via stderr on HTTPError

mismatch

repo a16d2030·PR #1·reviewed 1 week ago

Primary finding

API key written into request headers but config file permissions never checked; key may leak via stderr on HTTPError

lowsecuritymedium

agenticbets/scripts/agenticbets.py:56-60

On HTTPError the entire response body is dumped to stderr. If the Bankr API ever echoes the X-API-Key header (some gateways do) or includes it in an error trace, the secret leaks into logs. Lower-confidence finding because it depends on the upstream's behavior; still, a safer pattern is to truncate/scrub the body or print only e.code+e.reason on auth failures (401/403).

Recommendation

On 401/403, print only the status and a fixed remediation hint. Otherwise truncate body_text and redact any `bk_` substrings.

Counterpart finding

Bankr HTTP client does not handle URLError/timeouts; process may crash with an unhandled exception

lowmaintainabilityhigh

agenticbets/scripts/agenticbets.py:62-68

Only HTTPError is caught. URLError (DNS failure, connection timeout) or socket.timeout will raise and bubble up, likely printing a traceback instead of a clean error. fetch_markets properly catches Exception; bankr_request should mirror that resilience.

Recommendation

Catch urllib.error.URLError and socket.timeout; print a clear error and exit non-zero. Optionally retry transient errors with backoff.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗