lintai docs

Appearance

Rule Reference

SEC336lintai-ai-securitypreviewjsonwarn

MCP client config: broad envFile

Repo-local MCP client config loads a broad dotenv-style envFile

Provider
lintai-ai-security
Surface
json
Scope
per_file
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership
mcpmembership

Lifecycle

Preview Lifecycle Contract

State

preview_blocked

Promotion blocker

Broad envFile loading is useful review signal, but whether it is materially risky still depends on repo-local review policy and env contents.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC306JSON config: hidden override instructionsJSON configuration description contains override-style hidden instructionsjsonpreview
SEC307Config: sensitive env forwardingConfiguration forwards sensitive environment variable referencesjsonpreview
SEC308Config: suspicious remote endpointConfiguration points at a suspicious remote endpointjsonpreview
SEC301MCP config: shell trampolineMCP configuration shells out through sh -c or bash -cjsonstable
SEC302Config: insecure HTTP endpointConfiguration contains an insecure http:// endpointjsonstable
SEC303MCP config: credential env passthroughMCP configuration passes through credential environment variablesjsonstable

Why It Matters

Broad repo-local .env loading can silently inject more credentials and local state than the MCP client or server actually needs. That makes the committed client config less reviewable and widens secret exposure by default.

What Triggers

SEC336 applies to repo-local MCP client config such as .cursor/mcp.json or .vscode/mcp.json and triggers when a server entry loads a broad dotenv-style envFile.

Example that triggers:

json
{"servers":{"demo":{"envFile":".env"}}}

Examples that stay clean:

json
{"servers":{"demo":{"envFile":"configs/server.env.json"}}}
{"servers":{"demo":{"envFile":"${workspaceFolder}/.env"}}}

False Positives

This rule stays Preview because whether broad env-file loading is materially risky depends on repo policy and the actual env contents. The signal is still useful as a review prompt because the client config is opting into wide secret ingestion.

Remediation

Prefer narrower explicit env injection over broad repo-local .env files for committed MCP client configs, or make the path clearly workspace-scoped and reviewable.