Receipt · e488cbca-1

Security scanner uses PCRE tokens (\s, \b) with grep -E, causing widespread false negatives

securityhighclosed in 4b9b492closed in 1 hour

repo 6f7fc663·PR #29·reviewed 2 days ago·2 days ago

The finding

skills/skill-security-scan/scan.sh:196
skills/skill-security-scan/scan.sh:81
skills/skill-security-scan/scan.sh:97
skills/skill-security-scan/scan.sh:106-109
skills/skill-security-scan/scan.sh:113-118
skills/skill-security-scan/scan.sh:136-141
skills/skill-security-scan/scan.sh:144-145

grep -E implements POSIX ERE, which does not support \s (whitespace) or \b (word boundary). These tokens are used throughout HIGH/MEDIUM/LOW patterns, so many intended matches (e.g., "rm -rf /", "curl http://...") will not be detected, producing false negatives and potentially allowing dangerous skills to pass.

Fix

Either: (a) rewrite patterns to POSIX ERE using [[:space:]]+, explicit separators, and avoid \b; or (b) switch to grep -P (PCRE) if available, with a runtime check/fallback to POSIX patterns. Example fixes: replace '\s+' with '[[:space:]]+', replace '\b' with '(^|[^[:alnum:]_])' around tokens; audit all patterns accordingly.

Agent attribution

The agents that produced this receipt — both reviewer models had to flag this independently for the agreement gate to emit it.

anthropic

gpt-5

65.9s · error

openai

claude-opus-4-7

101.4s · error

Total

wall-clock review time · est. inference cost

101.4s · $0.40

Sweeper

closed at SHA 4b9b492

closed in 1 hour

internal review id · e488cbca

Third-party witnesses

Everything below lives on GitHub's event log, not ours. Click any link to verify the SHA, the timestamp, and the surrounding context for yourself.

Closure receipt comment
https://github.com/AntFleet/aeon-bench/pull/29#issuecomment-4476011207
Original review comment
https://github.com/AntFleet/aeon-bench/pull/29#issuecomment-4475379669
The pull request
https://github.com/AntFleet/aeon-bench/pull/29

← back to all receipts