Rule Reference

SEC663lintai-ai-securitythreat-reviewsecuritystablehookdeny

Hook script: Linux capability manipulation

Hook script manipulates Linux capabilities

Public lane: threat-review
Category: security
Provider: lintai-ai-security
Scope: per-file
Surface: hook
Tier: stable
Severity: deny
Confidence: high
Detection: structural
Remediation: message only

How to read this lane

Explicit malicious, secret-bearing, or spyware-like review.

How to read this category

Strong exploit, secret, or unsafe-execution signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

threat-reviewsidecar lane

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Matches explicit Linux capability manipulation payloads in executable hook lines.

Deterministic signal basis

HookSignals shell-token analysis over non-comment hook lines for `setcap` or dangerous Linux capability tokens such as `cap_setuid` and `cap_sys_admin`.

Malicious corpus

hook-privilege-escalation-payloads

Benign corpus

cursor-plugin-clean-basic

structured evidence required remediation reviewed

Canonical note

Structural stable rule positioned as an explicit threat-review control: high-signal malicious, credential-bearing, or spyware-like behavior that stays opt-in rather than shaping the quiet default.

Nearby Signals

Related Rules

SEC201Hook script: remote code executionHook script downloads remote code and executes itthreat-reviewsecurityhook

SEC202Hook script: secret exfiltrationHook script appears to exfiltrate secrets through a network callthreat-reviewsecurityhook

SEC203Hook script: insecure HTTP secret sendHook script sends secret material to an insecure http:// endpointthreat-reviewsecurityhook

SEC204Hook script: TLS verification disabledHook script disables TLS or certificate verification for a network callthreat-reviewsecurityhook

SEC205Hook script: hardcoded auth in network callHook script embeds static authentication material in a network callthreat-reviewsecurityhook

SEC206Hook script: base64 payload executionHook script decodes a base64 payload and executes itthreat-reviewsecurityhook

Why It Matters

Linux capabilities like cap_setuid and cap_sys_admin can grant powerful privileges without full root.

What Triggers

SEC663 matches executable hook lines that run setcap or include dangerous capability tokens such as cap_setuid, cap_setgid, cap_sys_admin, or cap_net_admin.

False Positives

Capability assignment can be legitimate in low-level system tooling, but it remains a sensitive host privilege change in shared hooks.

Remediation

Remove Linux capability manipulation from the hook and keep capability assignment in an explicit reviewed admin workflow.

Hook script: Linux capability manipulation

Preset Activation

Stable Lifecycle Contract

Related Rules

Why It Matters ​

What Triggers ​

False Positives ​

Remediation ​

Why It Matters

What Triggers

False Positives

Remediation