Rule Reference

SEC301lintai-ai-securitystablejsonwarn

MCP config: shell trampoline

MCP configuration shells out through sh -c or bash -c

Provider: lintai-ai-security
Surface: json
Scope: per_file
Tier: stable
Severity: warn
Confidence: high
Detection: structural
Remediation: message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

basemembership

mcpmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Matches explicit shell-wrapper command structure in JSON config, whether the shell is the command itself or the first launch argument.

Deterministic signal basis

JsonSignals command and args structure observation for sh -c or bash -c wrappers, either through `command` or `args[0]`.

Malicious corpus

mcp-shell-wrappermcp-shell-wrapper-args0

Benign corpus

mcp-safe-basicmcp-shell-wrapper-args-safe

structured evidence required remediation reviewed

Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC302Config: insecure HTTP endpointConfiguration contains an insecure http:// endpointjsonstable

SEC303MCP config: credential env passthroughMCP configuration passes through credential environment variablesjsonstable

SEC304Config: TLS verification disabledConfiguration disables TLS or certificate verificationjsonstable

SEC305Config: hardcoded auth materialConfiguration embeds static authentication material in a connection or auth valuejsonstable

SEC309Config: literal secrets in configConfiguration commits literal secret material in env, auth, or header valuesjsonstable

SEC310Config: metadata or private-network hostConfiguration endpoint targets a metadata or private-network host literaljsonstable

Why It Matters

Shell trampolines hide the real execution path behind an extra shell layer. In committed MCP config that increases quoting risk, makes review harder, and often turns a direct command launch into a generic shell execution surface.

What Triggers

The rule triggers only when all of these are true:

the file is parsed as MCP configuration
the launch path includes sh or bash
the same launch path also includes -c

Supported exact shapes:

command: "sh" or command: "bash" with args containing "-c"
args[0]: "sh" or args[0]: "bash" with the same args array containing "-c"

Example Trigger

json

{
  "command": "env",
  "args": ["bash", "-c", "echo hacked"]
}

Clean Cases

These stay clean:

direct launches without sh -c or bash -c
args[0] shell values when -c is not present
reviewed direct commands with explicit arguments

False Positives

The rule is intentionally narrow. It does not guess about arbitrary shell-like strings. It only fires on parsed MCP command structure with exact shell-wrapper tokens.

Remediation

Replace the shell wrapper with the direct executable and explicit arguments so the committed MCP launch path stays reviewable and least-privileged.

MCP config: shell trampoline

Preset Membership

Stable Lifecycle Contract

Related Rules

Why It Matters ​

What Triggers ​

Example Trigger ​

Clean Cases ​

False Positives ​