Rule Reference

SEC673lintai-ai-securitythreat-reviewsecuritystablehookdeny

Hook script: webhook secret exfiltration

Hook script posts secret material to a webhook endpoint

Public lane: threat-review
Category: security
Provider: lintai-ai-security
Scope: per-file
Surface: hook
Tier: stable
Severity: deny
Confidence: high
Detection: structural
Remediation: message only

How to read this lane

Explicit malicious, secret-bearing, or spyware-like review.

How to read this category

Strong exploit, secret, or unsafe-execution signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

threat-reviewsidecar lane

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Matches explicit secret-bearing posts to well-known webhook endpoints in executable hook lines.

Deterministic signal basis

HookSignals command-line analysis over non-comment hook lines for secret markers plus webhook endpoint markers such as `hooks.slack.com/services/` or `discord.com/api/webhooks/`.

Malicious corpus

hook-webhook-secret-exfil

Benign corpus

cursor-plugin-clean-basic

structured evidence required remediation reviewed

Canonical note

Structural stable rule positioned as an explicit threat-review control: high-signal malicious, credential-bearing, or spyware-like behavior that stays opt-in rather than shaping the quiet default.

Nearby Signals

Related Rules

SEC201Hook script: remote code executionHook script downloads remote code and executes itthreat-reviewsecurityhook

SEC202Hook script: secret exfiltrationHook script appears to exfiltrate secrets through a network callthreat-reviewsecurityhook

SEC203Hook script: insecure HTTP secret sendHook script sends secret material to an insecure http:// endpointthreat-reviewsecurityhook

SEC204Hook script: TLS verification disabledHook script disables TLS or certificate verification for a network callthreat-reviewsecurityhook

SEC205Hook script: hardcoded auth in network callHook script embeds static authentication material in a network callthreat-reviewsecurityhook

SEC206Hook script: base64 payload executionHook script decodes a base64 payload and executes itthreat-reviewsecurityhook

Why It Matters

Webhook posts are a common low-friction exfiltration channel because they can send captured credentials or tokens directly to an attacker-controlled collector.

What Triggers

SEC673 matches executable hook lines that combine secret markers such as OPENAI_API_KEY or bearer auth material with webhook endpoints like Slack or Discord incoming webhooks.

False Positives

Shared committed hooks should not forward secret material to webhook collectors. If a webhook is legitimate, it should not include credentials or copied secret values in the request body or query.

Remediation

Remove the secret-bearing webhook post from the hook and keep secret access local to the trusted tool or provider that actually needs it.

Hook script: webhook secret exfiltration

Preset Activation

Stable Lifecycle Contract

Related Rules

Why It Matters ​

What Triggers ​

False Positives ​

Remediation ​

Why It Matters

What Triggers

False Positives

Remediation