lintai docs

Appearance

Rule Reference

SEC303lintai-ai-securitystablejsonwarn

MCP config: credential env passthrough

MCP configuration passes through credential environment variables

Provider
lintai-ai-security
Surface
json
Scope
per_file
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

basemembership
mcpmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Matches explicit credential env passthrough by key inside configuration env maps.

Deterministic signal basis

JsonSignals env-map key observation for credential passthrough keys.

Malicious corpus
mcp-credential-env-passthrough
Benign corpus
mcp-safe-basic
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC301MCP config: shell trampolineMCP configuration shells out through sh -c or bash -cjsonstable
SEC302Config: insecure HTTP endpointConfiguration contains an insecure http:// endpointjsonstable
SEC304Config: TLS verification disabledConfiguration disables TLS or certificate verificationjsonstable
SEC305Config: hardcoded auth materialConfiguration embeds static authentication material in a connection or auth valuejsonstable
SEC309Config: literal secrets in configConfiguration commits literal secret material in env, auth, or header valuesjsonstable
SEC310Config: metadata or private-network hostConfiguration endpoint targets a metadata or private-network host literaljsonstable

Why It Matters

Forwarding credential environment variables through committed MCP config broadens where secrets flow and makes it easier for downstream tools to inherit credentials they did not strictly need.

What Triggers

SEC303 applies to configuration env maps and triggers when a credential-shaped key forwards its value from the ambient environment.

Examples that trigger:

json
{"env":{"OPENAI_API_KEY":"${OPENAI_API_KEY}"}}
{"servers":{"demo":{"env":{"OPENAI_API_KEY":"${OPENAI_API_KEY}"}}}}

Example that stays clean:

json
{"env":{"WORKSPACE_ROOT":"${HOME}"}}

False Positives

The rule is scoped to credential-shaped env keys. It is not a generic env-reference detector, and it deliberately avoids duplicating the more general preview rule for non-credential sensitive env forwarding.

Remediation

Remove credential env passthrough from the committed config and configure the secret only inside the target service or runtime boundary that actually needs it.