lintai docs

Appearance

Rule Reference

SEC389lintai-ai-securitypreviewmarkdownwarn

AI markdown: bare WebSearch tool grant

AI-native markdown frontmatter grants bare `WebSearch` tool access

Provider
lintai-ai-security
Surface
markdown
Scope
per_file
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership
skillsmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks AI-native frontmatter for bare WebSearch grants that omit a reviewed search scope.

Deterministic signal basis

MarkdownSignals exact frontmatter token detection for bare `WebSearch` inside allowed-tools or allowed_tools.

Malicious corpus
skill-risky-frontmatter-tool-grants
Benign corpus
skill-reviewed-frontmatter-tool-grants-safe
structured evidence required remediation reviewed
Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC101HTML comment: dangerous instructionsHidden HTML comment contains dangerous agent instructionsmarkdownpreview
SEC102Markdown: remote execution instructionMarkdown contains remote download-and-execute instruction outside code blocksmarkdownpreview
SEC103HTML comment: remote execution instructionHidden HTML comment contains remote download-and-execute instructionmarkdownpreview
SEC104Markdown: base64 executable payloadMarkdown contains a base64-decoded executable payload outside code blocksmarkdownpreview
SEC105Markdown: parent-directory file accessMarkdown instructions reference parent-directory traversal for file accessmarkdownpreview
SEC313Shell example: remote content piped to shellFenced shell example pipes remote content directly into a shellmarkdownpreview

SEC389 / MD-WEBSEARCH-UNSCOPED

SEC389 flags AI-native markdown frontmatter when allowed-tools or allowed_tools grants bare WebSearch.

Why It Matters

Bare WebSearch is a broad capability grant. In shared skills or instruction files it is easy to cargo-cult into repositories without review, which makes network-search scope harder to reason about than an explicit constrained pattern.

Trigger Shape

The rule triggers only when all of these are true:

  • the file is a detected AI-native markdown instruction surface
  • the path is not fixture-like
  • allowed-tools or allowed_tools contains the exact token WebSearch

Clean Cases

These stay clean:

  • scoped patterns such as WebSearch(site:docs.example.com)
  • wildcard search grants, which should be handled separately if promoted later
  • fixture-like examples under test or fixture paths

Example Trigger

yaml
---
allowed-tools: WebSearch, Read
---

Safer Example

yaml
---
allowed-tools: WebSearch(site:docs.example.com), Read
---

How To Fix

Replace bare WebSearch with a narrower reviewed search pattern, or remove broad search access from the shared frontmatter grant.