AntFleet

Disagreement · e488cbca-openai-3

jq dependency not validated; JSON mode will crash if jq is unavailable

mismatch
repo 6f7fc663·PR #29·reviewed 1 week ago

Primary finding

jq dependency not validated; JSON mode will crash if jq is unavailable

mediumbuild-releasehigh
  • skills/skill-security-scan/scan.sh:251-258
  • skills/skill-security-scan/scan.sh:260-268
  • skills/skill-security-scan/scan.sh:311
With set -e, any jq not found or error will terminate the script. The CLI offers a --json mode but does not check for jq, leading to brittle behavior on systems lacking jq.

Recommendation

When --json is requested, verify 'command -v jq' exists; if missing, print a clear error and exit 2, or fall back to emitting minimal JSON without formatting. Consider vendoring a small JSON emitter or using Python if available.

Counterpart finding

scan_file uses 'local' return values via arrays but is invoked outside a function-counting context — counters work, but final exit ignores WARN; documented WARN behavior may mislead callers

lowmaintainabilitymedium
  • skills/skill-security-scan/scan.sh:13-18
  • skills/skill-security-scan/scan.sh:252-257
The documented contract says exit 0 on PASS but the script also exits 0 on WARN. That’s consistent with the header comment (only HIGH is FAIL), but callers wiring this into CI will not be able to distinguish PASS from WARN via exit code alone, and SKILL.md step 6 says to notify only if FAIL — so MEDIUM findings (e.g., chmod 777, ../, base64 -d) never trigger any notification. For a security-gating skill, silent MEDIUMs are a real risk.

Recommendation

Either (a) document explicitly that WARN is non-blocking, or (b) add an opt-in `--strict` flag that exits non-zero on MEDIUM, and have SKILL.md’s step 6 mention WARN aggregation.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗