lintai docs

Appearance

Rule Reference

SEC347lintai-ai-securitypreviewmarkdownwarn

AI markdown: MCP via mutable package runner

AI-native markdown example launches MCP through a mutable package runner

Provider
lintai-ai-security
Surface
markdown
Scope
per_file
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

recommendedmembership
previewmembership
skillsmembership

Lifecycle

Preview Lifecycle Contract

State

preview_blocked

Promotion blocker

Mutable MCP launcher examples in markdown can be legitimate setup guidance, so the first release stays in the core preview lane while broader field validation continues.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC352AI markdown: unscoped Bash tool grantAI-native markdown frontmatter grants unscoped Bash tool accessmarkdownstable
SEC101HTML comment: dangerous instructionsHidden HTML comment contains dangerous agent instructionsmarkdownpreview
SEC102Markdown: remote execution instructionMarkdown contains remote download-and-execute instruction outside code blocksmarkdownpreview
SEC103HTML comment: remote execution instructionHidden HTML comment contains remote download-and-execute instructionmarkdownpreview
SEC104Markdown: base64 executable payloadMarkdown contains a base64-decoded executable payload outside code blocksmarkdownpreview
SEC105Markdown: parent-directory file accessMarkdown instructions reference parent-directory traversal for file accessmarkdownpreview

Why It Matters

SEC347 flags AI-native documentation that teaches MCP setup through mutable package runners such as npx, uvx, pnpm dlx, yarn dlx, or pipx run.

These examples are convenient, but they are weak as shared onboarding guidance:

  • they are less reproducible than checked-in wrappers or pinned install flows
  • they normalize latest-style package execution in copy-paste setup docs
  • they make it harder for reviewers to tell whether the recommended path is intentionally trusted or just convenient

Positioning

This is a core preview rule, not a sidecar guidance check. The detector is narrow and field signal is already good, but the ecosystem still needs broader validation before the rule should be treated as fully mature.

What Triggers

SEC347 applies only to AI-native markdown surfaces:

  • SKILL.md
  • CLAUDE.md, AGENTS.md, *.instructions.md, *.agent.md
  • .mdc, .cursorrules
  • plugin agent / plugin command markdown

It has two narrow trigger shapes.

CLI form

Same line contains:

  • claude mcp add
  • and a mutable launcher token like npx or uvx

Example that triggers:

text
claude mcp add exa -- npx -y mcp-remote "https://mcp.exa.ai/mcp"

Config-snippet form

The same markdown region contains:

  • MCP context such as mcpServers or MCP server
  • a launcher command marker such as "command": "npx" or command: pipx
  • nearby mutable-launch semantics in args, such as package args, dlx, or run

Example that triggers:

json
{
  "mcpServers": {
    "olostep": {
      "command": "npx",
      "args": ["-y", "olostep-mcp"]
    }
  }
}

Examples that stay clean:

  • bare command: npx without nearby package args
  • generic npx lighthouse
  • safety guidance like Do not use "command": "npx" for MCP examples

False Positives

This rule stays Preview because setup docs are not the same as committed executable config. A project may intentionally document a mutable launcher for convenience, especially in quick-start guides.

To reduce noise, SEC347 suppresses findings near safety wording such as:

  • do not use
  • don't use
  • avoid
  • replace with
  • instead of

Remediation

Prefer one of these fixes:

  1. replace the example with a checked-in wrapper or local script
  2. rewrite the docs around a pinned or reproducible install flow
  3. keep the risky example only as an explicitly discouraged pattern

Good replacement pattern:

text
Use the checked-in wrapper at `./scripts/mcp-exa.sh` instead of launching through `npx`.

Community intent for this rule is guidance, not blame: the finding means "this doc teaches a mutable MCP setup path", not "the package is malicious".