AntFleet

Disagreement · d8976a54-anthropic-7

Build skill instructs `vercel --prod` without secret/env hygiene guidance

solo Opus
repo 53606958·PR #2·reviewed 1 week ago

Opus finding

Build skill instructs `vercel --prod` without secret/env hygiene guidance

mediumsecuritymedium
  • .claude/skills/build.md:38-39
An autonomous agent shipping a wallet-connect / on-chain launchpad to production via `vercel --prod` with no checklist for: which env vars must be configured (Privy app id, RPC URL, IPFS keys), which must NOT be bundled client-side (private signing keys), and whether the deploy should be preview-first. This is a recipe for accidentally publishing a build that includes a server-side key in the client bundle or that fails to set required env vars and serves a broken/dangerous UI. Step 6 also mentions exposing 'launchpad fee income' which could include the agent wallet — fine — but no constraint against exposing the FeeLocker private key path.

Recommendation

Add an explicit pre-deploy checklist: enumerate required env vars, require `vercel` preview deploy + smoke test before `--prod`, and add a build-time grep for known secret-name patterns in `.next/static/**`.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗