lintai docs

Appearance

Rule Reference

SEC356lintai-ai-securityguidancequalitypreviewmarkdownwarn

Plugin agent: `permissionMode` in frontmatter

Plugin agent frontmatter sets `permissionMode`

Public lane
guidance
Category
quality
Provider
lintai-ai-security
Scope
per-file
Surface
markdown
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Advice-oriented guidance and maintainability review.

How to read this category

Contract, schema, or config correctness signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

guidancesidecar lane

Lifecycle

Preview Lifecycle Contract

State

preview

Promotion blocker

Plugin agent frontmatter can still include unsupported permission policy experiments, so the first release stays spec-guidance-only.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC353Copilot instructions: exceeds 4000 charsGitHub Copilot instruction markdown exceeds the 4000-character guidance limitguidancequalitymarkdown
SEC354Copilot instructions: missing `applyTo`Path-specific GitHub Copilot instruction markdown is missing `applyTo` frontmatterguidancequalitymarkdown
SEC355AI markdown: wildcard tool grantAI-native markdown frontmatter grants wildcard tool accessguidancehardeningmarkdown
SEC357Plugin agent: `hooks` in frontmatterPlugin agent frontmatter sets `hooks`guidancequalitymarkdown
SEC358Plugin agent: `mcpServers` in frontmatterPlugin agent frontmatter sets `mcpServers`guidancequalitymarkdown
SEC359Cursor rule: `alwaysApply` typeCursor rule frontmatter `alwaysApply` must be booleanguidancequalitymarkdown

Why It Matters

SEC356 flags plugin agent markdown whose frontmatter sets permissionMode.

For shared plugin agents, this is a risky place to express permission policy:

  • it mixes execution policy into agent content instead of keeping it in user or plugin configuration
  • it makes agent review harder because content and permission posture are coupled
  • it diverges from the plugin-agent layout guidance documented for Claude plugin agents

What Triggers

This rule applies only to plugin agent markdown surfaces and triggers on parsed frontmatter that contains the exact key:

  • permissionMode

Example that triggers:

yaml
---
name: review
permissionMode: acceptEdits
---

Examples that stay clean:

yaml
---
name: review
allowed-tools: Read, Write
---
  • fixture-like paths under tests/, fixtures/, examples/, or samples/
  • non-plugin markdown like ordinary SKILL.md

False Positives

This rule now lives in the explicit guidance lane because some repos may still experiment with unsupported or transitional plugin metadata. The signal is intended as structural policy guidance, not as proof of exploitation.

Remediation

Remove permissionMode from plugin agent frontmatter and manage permission policy in plugin-level or user-level configuration instead.

Good pattern:

yaml
---
name: review
allowed-tools: Read, Write
---