Rule Reference

SEC434lintai-ai-securitygovernancehardeningstablemarkdownwarn

AI markdown: raw.githubusercontent.com WebFetch grant

AI-native markdown frontmatter grants `WebFetch(domain:raw.githubusercontent.com)` authority

Public lane: governance
Category: hardening
Provider: lintai-ai-security
Scope: per-file
Surface: markdown
Tier: stable
Severity: warn
Confidence: high
Detection: structural
Remediation: message only

How to read this lane

Shared authority and workflow policy review.

How to read this category

Least-privilege, provenance, or operational hygiene signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

governancesidecar lane

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks AI-native frontmatter for explicit raw GitHub content fetch grants in shared allowed-tools policy.

Deterministic signal basis

MarkdownSignals exact frontmatter token detection for `WebFetch(domain:raw.githubusercontent.com)` inside allowed-tools or allowed_tools.

Malicious corpus

skill-webfetch-raw-github-allowed-tools

Benign corpus

skill-webfetch-raw-github-allowed-tools-specific-safe

structured evidence required remediation reviewed

Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC352AI markdown: unscoped Bash tool grantAI-native markdown frontmatter grants unscoped Bash tool accessgovernancehardeningmarkdown

SEC423AI markdown: bare Read tool grantAI-native markdown frontmatter grants bare `Read` tool accessgovernancehardeningmarkdown

SEC424AI markdown: bare Write tool grantAI-native markdown frontmatter grants bare `Write` tool accessgovernancehardeningmarkdown

SEC425AI markdown: bare Edit tool grantAI-native markdown frontmatter grants bare `Edit` tool accessgovernancehardeningmarkdown

SEC426AI markdown: bare Glob tool grantAI-native markdown frontmatter grants bare `Glob` tool accessgovernancehardeningmarkdown

SEC427AI markdown: bare Grep tool grantAI-native markdown frontmatter grants bare `Grep` tool accessgovernancehardeningmarkdown

SEC434 / MD-WEBFETCH-RAW-GITHUB

SEC434 flags AI-native markdown frontmatter when allowed-tools grants the exact token WebFetch(domain:raw.githubusercontent.com).

Why It Matters

raw.githubusercontent.com serves direct repository file contents. Granting that fetch target in shared AI instruction frontmatter makes mutable remote code and prompt content easier to ingest outside the normal repository review path.

Trigger Shape

The rule triggers only when all of these are true:

the file is an AI-native markdown instruction surface with parsed frontmatter
the path is not fixture-like
allowed-tools or allowed_tools contains the exact token WebFetch(domain:raw.githubusercontent.com)

Clean Cases

These stay clean:

narrower reviewed domains such as WebFetch(domain:github.com)
frontmatter that does not grant raw GitHub fetches
fixture-like examples under test or fixture paths

Example Trigger

---
allowed-tools:
  - WebFetch(domain:raw.githubusercontent.com)
  - Read
---

Safer Example

---
allowed-tools:
  - WebFetch(domain:github.com)
  - Read
---

How To Fix

Replace WebFetch(domain:raw.githubusercontent.com) with a narrower reviewed documentation host, or remove broad raw GitHub fetch authority from shared frontmatter entirely.

AI markdown: raw.githubusercontent.com WebFetch grant

Preset Activation

Stable Lifecycle Contract

Related Rules

SEC434 / MD-WEBFETCH-RAW-GITHUB ​

Why It Matters ​

Trigger Shape ​

Clean Cases ​

Example Trigger ​

Safer Example ​

How To Fix ​