lintai docs

Appearance

Rule Reference

SEC355lintai-ai-securityguidancehardeningpreviewmarkdownwarn

AI markdown: wildcard tool grant

AI-native markdown frontmatter grants wildcard tool access

Public lane
guidance
Category
hardening
Provider
lintai-ai-security
Scope
per-file
Surface
markdown
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Advice-oriented guidance and maintainability review.

How to read this category

Least-privilege, provenance, or operational hygiene signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

guidancesidecar lane

Lifecycle

Preview Lifecycle Contract

State

preview

Promotion blocker

Wildcard tool grants in AI-native frontmatter can still appear in convenience-oriented docs, so the first release stays least-privilege guidance-only.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC353Copilot instructions: exceeds 4000 charsGitHub Copilot instruction markdown exceeds the 4000-character guidance limitguidancequalitymarkdown
SEC354Copilot instructions: missing `applyTo`Path-specific GitHub Copilot instruction markdown is missing `applyTo` frontmatterguidancequalitymarkdown
SEC356Plugin agent: `permissionMode` in frontmatterPlugin agent frontmatter sets `permissionMode`guidancequalitymarkdown
SEC357Plugin agent: `hooks` in frontmatterPlugin agent frontmatter sets `hooks`guidancequalitymarkdown
SEC358Plugin agent: `mcpServers` in frontmatterPlugin agent frontmatter sets `mcpServers`guidancequalitymarkdown
SEC359Cursor rule: `alwaysApply` typeCursor rule frontmatter `alwaysApply` must be booleanguidancequalitymarkdown

Why It Matters

Wildcard tool grants make shared skills and instruction files much harder to review. Once frontmatter says every tool is allowed, the document stops expressing least privilege and becomes a much broader execution policy than most AI workflows actually need.

What Triggers

SEC355 applies to AI-native markdown surfaces with parsed frontmatter and triggers when any of these keys grants a literal wildcard tool token:

  • allowed-tools
  • allowed_tools
  • tools

Examples that trigger:

  • allowed-tools: "*"
  • allowed_tools: ["*"]
  • YAML list form with tools: followed by - "*"

Examples that stay clean:

  • allowed-tools: Read, Write, Edit
  • allowed-tools: Bash(git:*), Read
  • files under fixture-like paths such as tests/fixtures/

False Positives

This rule now lives in the explicit guidance lane because some shared AI repos still document wildcard tool access as a convenience default. The rule is guidance about least privilege and reviewability, not a claim that every such file is immediately exploitable.

Remediation

Replace wildcard access with an explicit allowlist of only the tools the workflow actually needs. If a skill really needs shell access, prefer a narrower scoped form such as Bash(git:*) instead of *.

How To Pass Lint

Prefer frontmatter like this:

yaml
allowed-tools: Read, Write, Bash(git:*)

Avoid:

yaml
allowed-tools: "*"