lintai docs

Appearance

Rule Reference

SEC355lintai-ai-securitypreviewmarkdownwarn

AI markdown: wildcard tool grant

AI-native markdown frontmatter grants wildcard tool access

Provider
lintai-ai-security
Surface
markdown
Scope
per_file
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership
skillsmembership

Lifecycle

Preview Lifecycle Contract

State

preview_blocked

Promotion blocker

Wildcard tool grants in AI-native frontmatter can still appear in convenience-oriented docs, so the first release stays least-privilege guidance-only.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC101HTML comment: dangerous instructionsHidden HTML comment contains dangerous agent instructionsmarkdownpreview
SEC102Markdown: remote execution instructionMarkdown contains remote download-and-execute instruction outside code blocksmarkdownpreview
SEC103HTML comment: remote execution instructionHidden HTML comment contains remote download-and-execute instructionmarkdownpreview
SEC104Markdown: base64 executable payloadMarkdown contains a base64-decoded executable payload outside code blocksmarkdownpreview
SEC105Markdown: parent-directory file accessMarkdown instructions reference parent-directory traversal for file accessmarkdownpreview
SEC313Shell example: remote content piped to shellFenced shell example pipes remote content directly into a shellmarkdownpreview

Why It Matters

Wildcard tool grants make shared skills and instruction files much harder to review. Once frontmatter says every tool is allowed, the document stops expressing least privilege and becomes a much broader execution policy than most AI workflows actually need.

What Triggers

SEC355 applies to AI-native markdown surfaces with parsed frontmatter and triggers when any of these keys grants a literal wildcard tool token:

  • allowed-tools
  • allowed_tools
  • tools

Examples that trigger:

  • allowed-tools: "*"
  • allowed_tools: ["*"]
  • YAML list form with tools: followed by - "*"

Examples that stay clean:

  • allowed-tools: Read, Write, Edit
  • allowed-tools: Bash(git:*), Read
  • files under fixture-like paths such as tests/fixtures/

False Positives

This rule stays Preview because some shared AI repos still document wildcard tool access as a convenience default. The rule is guidance about least privilege and reviewability, not a claim that every such file is immediately exploitable.

Remediation

Replace wildcard access with an explicit allowlist of only the tools the workflow actually needs. If a skill really needs shell access, prefer a narrower scoped form such as Bash(git:*) instead of *.

How To Pass Lint

Prefer frontmatter like this:

yaml
allowed-tools: Read, Write, Bash(git:*)

Avoid:

yaml
allowed-tools: "*"