AntFleet

Disagreement · f03404f9-anthropic-3

Breaking-change detection on untrusted release bodies has no length cap before regex/scan, contradicting 'treat as untrusted' constraint

mismatch
repo 6f7fc663·PR #22·reviewed 1 week ago

Primary finding

Breaking-change detection on untrusted release bodies has no length cap before regex/scan, contradicting 'treat as untrusted' constraint

lowsecuritymedium
  • skills/ai-framework-watch/SKILL.md:105-117
  • skills/ai-framework-watch/SKILL.md:238-240
Step 3 truncates `body_first_line` to 240 chars via jq, which mitigates injection risk for the body, but `name` (release name) and `tag_name` are passed through untruncated and then rendered into the article and notify payload (steps 7 & 11). A maliciously crafted release name from a watched repo could contain prompt-injection text or markdown that breaks the table render, and is not sanitized before being rendered to the article or sent via `./notify`. The constraints section warns about this but the steps do not enforce truncation/escaping on `name`/`tag_name`.

Recommendation

Add truncation (e.g. `name | .[0:120]`) and pipe-character escaping to `name` in step 3's jq, and apply the same to `tag_name` before rendering. Reinforce in step 7 that all maintainer-supplied strings must be escaped for markdown tables.

Counterpart finding

Ambiguity in "30d‑implied weekly average" used for verdict gating

lowdocs-gaphigh
  • skills/ai-framework-watch/SKILL.md:112-116
  • skills/ai-framework-watch/SKILL.md:94
"30d‑implied weekly average" is not defined. It likely means star_delta_30d / 4, but the document never states the exact formula or rounding rules. This creates room for divergent implementations and inconsistent verdicts.

Recommendation

Define the calculation explicitly (e.g., weekly_avg_30d = floor(star_delta_30d / 4) or star_delta_30d / 4.2857) and specify rounding/precision. Note behavior when star_delta_30d is unknown (render as — and skip this verdict).

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗