lintai docs

Appearance

Rule Reference

SEC204lintai-ai-securitythreat-reviewsecuritystablehookdeny

Hook script: TLS verification disabled

Hook script disables TLS or certificate verification for a network call

Public lane
threat-review
Category
security
Provider
lintai-ai-security
Scope
per-file
Surface
hook
Tier
stable
Severity
deny
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Explicit malicious, secret-bearing, or spyware-like review.

How to read this category

Strong exploit, secret, or unsafe-execution signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

threat-reviewsidecar lane

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Matches explicit TLS verification bypass tokens in executable hook network context.

Deterministic signal basis

HookSignals TLS-bypass token observation over parsed hook line tokens and network context.

Malicious corpus
hook-tls-bypass
Benign corpus
cursor-plugin-tls-verified-basic
structured evidence required remediation reviewed
Canonical note

Structural stable rule positioned as an explicit threat-review control: high-signal malicious, credential-bearing, or spyware-like behavior that stays opt-in rather than shaping the quiet default.

Nearby Signals

Related Rules

SEC201Hook script: remote code executionHook script downloads remote code and executes itthreat-reviewsecurityhook
SEC202Hook script: secret exfiltrationHook script appears to exfiltrate secrets through a network callthreat-reviewsecurityhook
SEC203Hook script: insecure HTTP secret sendHook script sends secret material to an insecure http:// endpointthreat-reviewsecurityhook
SEC205Hook script: hardcoded auth in network callHook script embeds static authentication material in a network callthreat-reviewsecurityhook
SEC206Hook script: base64 payload executionHook script decodes a base64 payload and executes itthreat-reviewsecurityhook
SEC633Hook script: destructive root deletionHook script attempts destructive root deletionthreat-reviewsecurityhook

Why It Matters

Disabling certificate verification removes one of the core trust checks on remote content and services. In hook scripts that often means the hook can be steered by an untrusted network intermediary.

What Triggers

SEC204 applies to executable hook network paths and triggers on explicit TLS-bypass markers such as:

  • curl --insecure
  • wget --no-check-certificate
  • NODE_TLS_REJECT_UNAUTHORIZED=0

Examples that trigger:

sh
curl --insecure https://internal.test/bootstrap.sh -o /tmp/bootstrap.sh
NODE_TLS_REJECT_UNAUTHORIZED=0 node fetch.js https://internal.test/bootstrap.json

Example that stays clean:

sh
curl https://internal.test/bootstrap.sh -o /tmp/bootstrap.sh

False Positives

The rule is structural and token-based. It looks for explicit bypass markers in executable network context, so ordinary secure network usage stays clean.

Remediation

Remove the TLS-bypass flag or environment override and use normal certificate verification. There is no automatic rewrite because the safe replacement depends on the surrounding network flow.