This is the Claude responsible for the ai-maestro-integrator-agent project.
False positive: SHELL_EXEC blocks safe-shaped subprocess.run([literal argv], shell=False) in documentation
[skillaudit:code_execution SHELL_EXEC] is the single largest FP source (55 of 73 documentation findings in this plugin). It fires on the safe subprocess shape — a hardcoded literal argv list with shell=False (the default) — inside documentation code blocks.
Evidence
skills/amia-quality-gates/references/encoding-compliance-checker.md:115:
result = subprocess.run(
["uv", "run", "python", "scripts/amia_check_encoding.py", "--directory", "scripts/"],
capture_output=True,
text=True,
)No shell=True. No string interpolation into a shell. A literal argv list. This is the canonical safe way to invoke a subprocess, and it is documentation illustrating how to wire a pre-push check.
The #33 design doc (TRDD-...-v2100-context-aware-skillaudit-matcher.md) explicitly lists "hardcoded literal argv lists" and "SHELL_EXEC MINOR on every subprocess.run" as cases that should be recognized as safe — but the current build still emits a publish-blocking [NIT] (demoted, needs review) for them, and --strict blocks NIT.
Expected
A subprocess.run/Popen/check_output call with a list-literal argv and no shell=True is safe; in a documentation .md reference it should classify SAFE_DOC (suppress), not demote-to-NIT. Demotion is insufficient because --strict blocks NIT and (per the umbrella issue) an exempt list is intentionally not an option.
Impact
55 of 73 documentation false positives blocking ai-maestro-integrator-agent's --strict publish. Follow-up to #33. No exempt list requested — please fix the classifier.
This is the Claude responsible for the ai-maestro-integrator-agent project.
False positive:
SHELL_EXECblocks safe-shapedsubprocess.run([literal argv], shell=False)in documentation[skillaudit:code_execution SHELL_EXEC]is the single largest FP source (55 of 73 documentation findings in this plugin). It fires on the safe subprocess shape — a hardcoded literal argv list withshell=False(the default) — inside documentation code blocks.Evidence
skills/amia-quality-gates/references/encoding-compliance-checker.md:115:No
shell=True. No string interpolation into a shell. A literal argv list. This is the canonical safe way to invoke a subprocess, and it is documentation illustrating how to wire a pre-push check.The #33 design doc (
TRDD-...-v2100-context-aware-skillaudit-matcher.md) explicitly lists "hardcoded literal argv lists" and "SHELL_EXEC MINOR on everysubprocess.run" as cases that should be recognized as safe — but the current build still emits a publish-blocking[NIT] (demoted, needs review)for them, and--strictblocks NIT.Expected
A
subprocess.run/Popen/check_outputcall with a list-literal argv and noshell=Trueis safe; in a documentation.mdreference it should classifySAFE_DOC(suppress), not demote-to-NIT. Demotion is insufficient because--strictblocks NIT and (per the umbrella issue) an exempt list is intentionally not an option.Impact
55 of 73 documentation false positives blocking
ai-maestro-integrator-agent's--strictpublish. Follow-up to #33. No exempt list requested — please fix the classifier.