Disagreement · e488cbca-anthropic-4

scan_file uses 'local' return values via arrays but is invoked outside a function-counting context — counters work, but final exit ignores WARN; documented WARN behavior may mislead callers

solo Opus

repo 6f7fc663·PR #29·reviewed 1 week ago

Opus finding

scan_file uses 'local' return values via arrays but is invoked outside a function-counting context — counters work, but final exit ignores WARN; documented WARN behavior may mislead callers

lowmaintainabilitymedium

skills/skill-security-scan/scan.sh:13-18
skills/skill-security-scan/scan.sh:252-257

The documented contract says exit 0 on PASS but the script also exits 0 on WARN. That’s consistent with the header comment (only HIGH is FAIL), but callers wiring this into CI will not be able to distinguish PASS from WARN via exit code alone, and SKILL.md step 6 says to notify only if FAIL — so MEDIUM findings (e.g., chmod 777, ../, base64 -d) never trigger any notification. For a security-gating skill, silent MEDIUMs are a real risk.

Recommendation

Either (a) document explicitly that WARN is non-blocking, or (b) add an opt-in `--strict` flag that exits non-zero on MEDIUM, and have SKILL.md’s step 6 mention WARN aggregation.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗