Problem
meta_analyzer.apply_filter() keeps a static finding only if the LLM confirms it (is_vulnerability=True, confidence >= 0.6). Since the LLM's input includes attacker-controlled skill content, a prompt-injection payload can make the LLM drop even a CRITICAL/HIGH static finding — a false negative in a security gate. Affects all providers.
Proposed fix
Never let LLM filtering silently drop CRITICAL/HIGH static findings (preserve + tag llm-unconfirmed, surfaced in JSON); keep LLM false-positive filtering for MEDIUM/LOW.
Opened to follow CONTRIBUTING.md (issue-first); fix is in #54.
🤖 Generated with Claude Code
Problem
meta_analyzer.apply_filter()keeps a static finding only if the LLM confirms it (is_vulnerability=True,confidence >= 0.6). Since the LLM's input includes attacker-controlled skill content, a prompt-injection payload can make the LLM drop even a CRITICAL/HIGH static finding — a false negative in a security gate. Affects all providers.Proposed fix
Never let LLM filtering silently drop CRITICAL/HIGH static findings (preserve + tag
llm-unconfirmed, surfaced in JSON); keep LLM false-positive filtering for MEDIUM/LOW.Opened to follow CONTRIBUTING.md (issue-first); fix is in #54.
🤖 Generated with Claude Code