lintai docs

Appearance

Rule Reference

SEC404lintai-ai-securitypreviewmarkdownwarn

AI markdown: bare WebFetch tool grant

AI-native markdown frontmatter grants bare `WebFetch` tool access

Provider
lintai-ai-security
Surface
markdown
Scope
per_file
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership
skillsmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks AI-native frontmatter for exact bare `WebFetch` grants that expose unconstrained remote fetch authority as shared default policy.

Deterministic signal basis

MarkdownSignals exact frontmatter token detection for bare `WebFetch` inside allowed-tools or allowed_tools.

Malicious corpus
skill-unscoped-webfetch-allowed-tools
Benign corpus
skill-scoped-webfetch-allowed-tools-safe
structured evidence required remediation reviewed
Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC101HTML comment: dangerous instructionsHidden HTML comment contains dangerous agent instructionsmarkdownpreview
SEC102Markdown: remote execution instructionMarkdown contains remote download-and-execute instruction outside code blocksmarkdownpreview
SEC103HTML comment: remote execution instructionHidden HTML comment contains remote download-and-execute instructionmarkdownpreview
SEC104Markdown: base64 executable payloadMarkdown contains a base64-decoded executable payload outside code blocksmarkdownpreview
SEC105Markdown: parent-directory file accessMarkdown instructions reference parent-directory traversal for file accessmarkdownpreview
SEC313Shell example: remote content piped to shellFenced shell example pipes remote content directly into a shellmarkdownpreview

SEC404 / MD-WEBFETCH-UNSCOPED

SEC404 flags AI-native markdown frontmatter when allowed-tools or allowed_tools grants bare WebFetch.

Why It Matters

Bare WebFetch is a broad remote-content capability grant. In shared skills or instruction files it is easy to ship repo-wide fetch authority by default instead of constraining access to reviewed domains or patterns.

Trigger Shape

The rule triggers only when all of these are true:

  • the file is a detected AI-native markdown instruction surface
  • the path is not fixture-like
  • allowed-tools or allowed_tools contains the exact token WebFetch

Clean Cases

These stay clean:

  • scoped patterns such as WebFetch(domain:docs.example.com)
  • wildcard fetch grants, which should be handled separately if promoted later
  • fixture-like examples under test or fixture paths

Example Trigger

yaml
---
allowed-tools: WebFetch, Read
---

Safer Example

yaml
---
allowed-tools: WebFetch(domain:docs.example.com), Read
---

How To Fix

Replace bare WebFetch with a narrower reviewed fetch pattern, or remove broad fetch access from the shared frontmatter grant.