Disagreement · e488cbca-anthropic-3

Pattern 'curl\s+http://' only flags http (not https) network calls and labels them MEDIUM

solo Opus

repo 6f7fc663·PR #29·reviewed 1 week ago

Opus finding

Pattern 'curl\s+http://' only flags http (not https) network calls and labels them MEDIUM

lowapi-contracthigh

skills/skill-security-scan/scan.sh:153-156

The MEDIUM list flags only plain http://, implying https calls are considered safe. But https exfiltration is the dominant real-world pattern, and the threat model in SKILL.md explicitly calls out 'Send environment variables, tokens, or file contents to external URLs via curl/wget/fetch'. The narrow match makes the scanner ineffective against the very threat it advertises.

Recommendation

Add a domain-allowlist check for any outbound curl/wget/fetch destination, regardless of scheme; or at minimum add MEDIUM patterns for `curl\s+https://` with allowlist exceptions.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗