Rule Reference

SEC301lintai-ai-securitythreat-reviewsecuritystablejsonwarn

MCP config: shell trampoline

MCP configuration shells out through sh -c or bash -c

Public lane: threat-review
Category: security
Provider: lintai-ai-security
Scope: per-file
Surface: json
Tier: stable
Severity: warn
Confidence: high
Detection: structural
Remediation: message only

How to read this lane

Explicit malicious, secret-bearing, or spyware-like review.

How to read this category

Strong exploit, secret, or unsafe-execution signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

threat-reviewsidecar lane

mcpsurface preset

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Matches explicit shell-wrapper command structure in JSON config, whether the shell is the command itself or the first launch argument, and is best reviewed as an overt threat-review signal rather than a softer middle-lane prompt.

Deterministic signal basis

JsonSignals command and args structure observation for sh -c or bash -c wrappers, either through `command` or `args[0]`.

Malicious corpus

mcp-shell-wrappermcp-shell-wrapper-args0

Benign corpus

mcp-safe-basicmcp-shell-wrapper-args-safe

structured evidence required remediation reviewed

Canonical note

Structural stable rule positioned as an explicit threat-review control: high-signal malicious, credential-bearing, or spyware-like behavior that stays opt-in rather than shaping the quiet default.

Nearby Signals

Related Rules

SEC305Config: hardcoded auth materialConfiguration embeds static authentication material in a connection or auth valuethreat-reviewsecurityjson

SEC309Config: literal secrets in configConfiguration commits literal secret material in env, auth, or header valuesthreat-reviewsecurityjson

SEC310Config: metadata or private-network hostConfiguration endpoint targets a metadata or private-network host literalthreat-reviewsecurityjson

SEC338MCP config: sensitive host bind mountMCP configuration launches Docker with a bind mount of sensitive host materialthreat-reviewsecurityjson

SEC339MCP config: privileged Docker flagsMCP configuration launches Docker with a host-escape or privileged runtime flagthreat-reviewsecurityjson

SEC422MCP config: sudo commandMCP configuration launches the server through `sudo`threat-reviewsecurityjson

Why It Matters

Shell trampolines hide the real execution path behind an extra shell layer. In committed MCP config that increases quoting risk, makes review harder, and often turns a direct command launch into a generic shell execution surface.

What Triggers

The rule triggers only when all of these are true:

the file is parsed as MCP configuration
the launch path includes sh or bash
the same launch path also includes -c

Supported exact shapes:

command: "sh" or command: "bash" with args containing "-c"
args[0]: "sh" or args[0]: "bash" with the same args array containing "-c"

Example Trigger

json

{
  "command": "env",
  "args": ["bash", "-c", "echo hacked"]
}

Clean Cases

These stay clean:

direct launches without sh -c or bash -c
args[0] shell values when -c is not present
reviewed direct commands with explicit arguments

False Positives

The rule is intentionally narrow. It does not guess about arbitrary shell-like strings. It only fires on parsed MCP command structure with exact shell-wrapper tokens. The remaining question is intent, not matching quality, so the rule now lives in threat-review rather than the softer general preview lane.

Remediation

Replace the shell wrapper with the direct executable and explicit arguments so the committed MCP launch path stays reviewable and least-privileged.

MCP config: shell trampoline

Preset Activation

Stable Lifecycle Contract

Related Rules

Why It Matters ​

What Triggers ​

Example Trigger ​

Clean Cases ​

False Positives ​