Rule Reference

SEC447lintai-ai-securitygovernancehardeningstablemarkdownwarn

AI markdown: package installation tool grant

AI-native markdown frontmatter grants package installation authority

Public lane: governance
Category: hardening
Provider: lintai-ai-security
Scope: per-file
Surface: markdown
Tier: stable
Severity: warn
Confidence: high
Detection: structural
Remediation: message only

How to read this lane

Shared authority and workflow policy review.

How to read this category

Least-privilege, provenance, or operational hygiene signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

governancesidecar lane

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks AI-native frontmatter for shared package-install grants in allowed-tools policy.

Deterministic signal basis

MarkdownSignals exact frontmatter token detection for package-install permissions such as `Bash(pip install)` and `Bash(npm install)` inside allowed-tools or allowed_tools.

Malicious corpus

skill-package-install-allowed-tools

Benign corpus

skill-package-command-allowed-tools-safe

structured evidence required remediation reviewed

Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC352AI markdown: unscoped Bash tool grantAI-native markdown frontmatter grants unscoped Bash tool accessgovernancehardeningmarkdown

SEC423AI markdown: bare Read tool grantAI-native markdown frontmatter grants bare `Read` tool accessgovernancehardeningmarkdown

SEC424AI markdown: bare Write tool grantAI-native markdown frontmatter grants bare `Write` tool accessgovernancehardeningmarkdown

SEC425AI markdown: bare Edit tool grantAI-native markdown frontmatter grants bare `Edit` tool accessgovernancehardeningmarkdown

SEC426AI markdown: bare Glob tool grantAI-native markdown frontmatter grants bare `Glob` tool accessgovernancehardeningmarkdown

SEC427AI markdown: bare Grep tool grantAI-native markdown frontmatter grants bare `Grep` tool accessgovernancehardeningmarkdown

SEC447 / MD-PACKAGE-INSTALL-ALLOWED-TOOLS

SEC447 flags AI-native markdown frontmatter when allowed-tools grants exact package-install authority such as Bash(pip install) or Bash(npm install).

Why It Matters

Shared package-install authority turns dependency mutation into default team policy. In AI-native instruction files, that makes supply-chain changes easy to cargo-cult without a reviewed install workflow.

Trigger Shape

The rule triggers only when all of these are true:

the file is an AI-native markdown instruction surface with parsed frontmatter
the path is not fixture-like
allowed-tools or allowed_tools contains one of these exact tokens:
- Bash(pip install)
- Bash(pip3 install)
- Bash(python -m pip install)
- Bash(yarn install)
- Bash(npm install)
- Bash(pnpm install)
- Bash(bun install)

Clean Cases

These stay clean:

more specific non-install commands such as Bash(pip cache purge)
frontmatter that does not grant package installation
fixture-like examples under test or fixture paths

Example Trigger

---
allowed-tools:
  - Bash(pip install)
  - Read
---

Safer Example

---
allowed-tools:
  - Bash(pip cache purge)
  - Read
---

How To Fix

Replace shared package-install authority with a narrower reviewed workflow, or remove install privileges from shared frontmatter entirely.

AI markdown: package installation tool grant

Preset Activation

Stable Lifecycle Contract

Related Rules

SEC447 / MD-PACKAGE-INSTALL-ALLOWED-TOOLS ​

Why It Matters ​

Trigger Shape ​

Clean Cases ​

Example Trigger ​

Safer Example ​

How To Fix ​