lintai docs

Appearance

Rule Reference

SEC335lintai-ai-securitypreviewmarkdownwarn

AI markdown: metadata-service access

AI-native markdown contains a direct cloud metadata-service access example

Provider
lintai-ai-security
Surface
markdown
Scope
per_file
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership
skillsmembership

Lifecycle

Preview Lifecycle Contract

State

preview_blocked

Promotion blocker

Metadata-service examples can appear in legitimate security training content, so the first release stays context-sensitive preview rather than claiming universal exploit signal.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC101HTML comment: dangerous instructionsHidden HTML comment contains dangerous agent instructionsmarkdownpreview
SEC102Markdown: remote execution instructionMarkdown contains remote download-and-execute instruction outside code blocksmarkdownpreview
SEC103HTML comment: remote execution instructionHidden HTML comment contains remote download-and-execute instructionmarkdownpreview
SEC104Markdown: base64 executable payloadMarkdown contains a base64-decoded executable payload outside code blocksmarkdownpreview
SEC105Markdown: parent-directory file accessMarkdown instructions reference parent-directory traversal for file accessmarkdownpreview
SEC313Shell example: remote content piped to shellFenced shell example pipes remote content directly into a shellmarkdownpreview

Why It Matters

SEC335 flags AI-native markdown that contains a direct cloud metadata-service access example such as curl http://169.254.169.254/....

Metadata-service endpoints expose environment-specific instance data and credentials in many cloud deployments. In shared AI-native docs, direct access examples are easy to copy into environments where that access is far more sensitive than the document implies.

Positioning

This is a context-sensitive preview rule. The detector is structural, but cloud security labs, incident-response notes, and SSRF training material can legitimately show the same endpoints.

What Triggers

SEC335 applies to AI-native markdown and triggers when the same parsed line contains:

  • a literal metadata-service endpoint such as 169.254.169.254 or metadata.google.internal
  • and an execution marker such as curl, wget, or Invoke-WebRequest

Examples that trigger:

text
curl http://169.254.169.254/latest/meta-data/
powershell
Invoke-WebRequest http://metadata.google.internal/computeMetadata/v1/

Examples that stay clean:

  • generic SSRF deny-list prose without a command marker
  • generic mentions of internal metadata services without a literal metadata endpoint
  • AI-native markdown without a matching request example

False Positives

This rule stays Preview because security training, cloud forensics, and offensive-security material often reference metadata-service access intentionally. The detector is still valuable, but the finding should be interpreted as "this document teaches direct metadata access" rather than a claim that the repository itself is misconfigured.

Remediation

If the example is not essential, remove the direct metadata request. If the example is intentionally instructional, keep explicit risk framing and isolation guidance nearby so the reader understands that this is a sensitive cloud endpoint rather than a normal setup dependency.