lintai docs

Appearance

Rule Reference

SEC329lintai-ai-securityrecommendedsecuritystablejsonwarn

MCP config: dynamic package launch

MCP config launches an external package dynamically at runtime

Public lane
recommended
Category
security
Provider
lintai-ai-security
Scope
per-file
Surface
json
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Quiet practical default findings most teams should start with.

How to read this category

Strong exploit, secret, or unsafe-execution signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

recommendedquiet default
basesurface preset
mcpsurface preset

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks committed MCP config commands that dynamically download or resolve packages at runtime through npx, uvx, pnpm dlx, yarn dlx, or pipx run.

Deterministic signal basis

JsonSignals command/args analysis over ArtifactKind::McpConfig objects with launcher-specific argument gating.

Malicious corpus
mcp-mutable-launcher
Benign corpus
mcp-pinned-launcher-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC301MCP config: shell trampolineMCP configuration shells out through sh -c or bash -cthreat-reviewsecurityjson
SEC303MCP config: credential env passthroughMCP configuration passes through credential environment variablesgovernancehardeningjson
SEC305Config: hardcoded auth materialConfiguration embeds static authentication material in a connection or auth valuethreat-reviewsecurityjson
SEC309Config: literal secrets in configConfiguration commits literal secret material in env, auth, or header valuesthreat-reviewsecurityjson
SEC310Config: metadata or private-network hostConfiguration endpoint targets a metadata or private-network host literalthreat-reviewsecurityjson
SEC311Cursor plugin: unsafe path traversalCursor plugin manifest contains an unsafe absolute or parent-traversing pathcompatqualityjson

Why It Matters

Committed MCP configs are executable setup, not just prose. When a config launches a server through npx, uvx, pnpm dlx, yarn dlx, or pipx run, the repo does not fully describe what code will run. The package can resolve differently on another machine, after a registry update, or when @latest moves.

What Triggers

SEC329 applies to committed MCP configuration JSON and triggers when command/args analysis finds a dynamic package launcher such as:

  • npx
  • uvx
  • pnpm dlx
  • yarn dlx
  • pipx run

Examples that trigger:

json
{"command":"npx","args":["@cloudbase/cloudbase-mcp@latest"]}
json
{"command":"uvx","args":["demo-mcp"]}

Examples that stay clean:

json
{"command":"./scripts/run-mcp.sh","args":[]}
json
{"command":"node","args":["./vendor/mcp-server/index.js"]}

False Positives

False positives should be low because the detector is structural and gated on parsed MCP config. The practical tradeoff is not "did the pattern exist", but whether a team intentionally accepts runtime package resolution in committed config. The rule stays useful because it points at real execution posture, not generic documentation advice.

Remediation

Replace the dynamic package launch with a vendored script, pinned local binary path, or another reproducible execution path that does not resolve packages dynamically at runtime.