lintai docs

Appearance

Rule Reference

SEC352lintai-ai-securitystablemarkdownwarn

AI markdown: unscoped Bash tool grant

AI-native markdown frontmatter grants unscoped Bash tool access

Provider
lintai-ai-security
Surface
markdown
Scope
per_file
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

recommendedmembership
previewmembership
skillsmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks AI-native frontmatter for exact bare `Bash` grants that expose unconstrained shell authority as shared default policy.

Deterministic signal basis

MarkdownSignals exact frontmatter token detection for bare `Bash` inside allowed-tools or allowed_tools.

Malicious corpus
skill-unscoped-bash-allowed-tools
Benign corpus
skill-scoped-bash-allowed-tools-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC347AI markdown: MCP via mutable package runnerAI-native markdown example launches MCP through a mutable package runnermarkdownpreview
SEC417AI markdown: unpinned pip git installAI-native markdown installs Python packages from an unpinned `git+https://` sourcemarkdownstable
SEC428AI markdown: unsafe Read path grantAI-native markdown frontmatter grants `Read(...)` over an unsafe repo-external pathmarkdownstable
SEC429AI markdown: unsafe Write path grantAI-native markdown frontmatter grants `Write(...)` over an unsafe repo-external pathmarkdownstable
SEC430AI markdown: unsafe Edit path grantAI-native markdown frontmatter grants `Edit(...)` over an unsafe repo-external pathmarkdownstable
SEC431AI markdown: unsafe Glob path grantAI-native markdown frontmatter grants `Glob(...)` over an unsafe repo-external pathmarkdownstable

Why It Matters

Broad Bash grants in AI-native frontmatter widen agent execution authority far beyond the task the document is trying to teach. For shared skills and instruction files, this makes the documented setup less defensible and harder to review than scoped forms such as Bash(git:*).

Current Priority

SEC352 is currently the strongest skills-markdown rule in the external validation set:

  • latest field pass: 20 findings
  • manual review: 20 TP, 0 expected-but-benign, 0 FP
  • practical takeaway: if you want one preview-era skills markdown rule to read first, start here

See also: SEC352 Stable-Candidate Track.

What Triggers

SEC352 applies to AI-native markdown surfaces with parsed frontmatter and triggers when allowed-tools or allowed_tools grants bare Bash instead of a scoped Bash(...) form.

Examples that trigger:

  • allowed-tools: Bash, Read, Write
  • allowed-tools: [Bash, Read]
  • YAML list form with - Bash

Examples that stay clean:

  • allowed-tools: Bash(git:*), Read
  • files under fixture-like paths such as tests/fixtures/

False Positives

This rule stays Preview because some ecosystems still document broad Bash grants as a convenience default. The intent is least-privilege guidance, not a claim that every such skill is immediately exploitable. The current field data is still unusually strong for a preview markdown rule: no false positives were observed in the latest stratified wave.

The remaining blocker is now promotion discipline, not a lack of field signal. The checked-in promotion packet lives in SEC352 Stable-Candidate Track.

Remediation

Prefer scoped command grants such as Bash(git:*), Bash(npm:*), or another narrower tool set that matches the documented workflow. If broad shell access is truly required, document that exception explicitly and keep the rule suppressed only after review.