lintai docs

Appearance

Rule Reference

SEC417lintai-ai-securitystablemarkdownwarn

AI markdown: unpinned pip git install

AI-native markdown installs Python packages from an unpinned `git+https://` source

Provider
lintai-ai-security
Surface
markdown
Scope
per_file
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership
skillsmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks AI-native markdown for `pip install` examples that pull directly from mutable git+https sources without commit pinning.

Deterministic signal basis

MarkdownSignals exact `pip install` plus `git+https://` token analysis with commit-pin detection inside parsed markdown regions.

Malicious corpus
claude-unpinned-pip-git-install
Benign corpus
claude-unpinned-pip-git-install-commit-pinned-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC352AI markdown: unscoped Bash tool grantAI-native markdown frontmatter grants unscoped Bash tool accessmarkdownstable
SEC428AI markdown: unsafe Read path grantAI-native markdown frontmatter grants `Read(...)` over an unsafe repo-external pathmarkdownstable
SEC429AI markdown: unsafe Write path grantAI-native markdown frontmatter grants `Write(...)` over an unsafe repo-external pathmarkdownstable
SEC430AI markdown: unsafe Edit path grantAI-native markdown frontmatter grants `Edit(...)` over an unsafe repo-external pathmarkdownstable
SEC431AI markdown: unsafe Glob path grantAI-native markdown frontmatter grants `Glob(...)` over an unsafe repo-external pathmarkdownstable
SEC432AI markdown: `Bash(git add:*)` tool grantAI-native markdown frontmatter grants `Bash(git add:*)` authoritymarkdownstable

SEC417 / MD-PIP-GIT-UNPINNED

AI-native markdown installs Python packages from an unpinned git+https:// source.

Why It Matters

pip install git+https://... examples teach users to install directly from mutable repository state instead of a published release or a commit-pinned reference. In shared AI setup docs, those examples are easy to copy unchanged and are hard to reproduce later.

Trigger Shape

This rule applies to AI-native markdown surfaces such as SKILL.md, CLAUDE.md, Copilot instruction files, and similar instruction markdown already classified by the scanner.

The rule triggers when the same markdown line contains:

  • pip install, pip3 install, or python -m pip install
  • git+https://
  • no immutable commit-style ref in the git URL

Mutable refs like @main still trigger.

Clean Cases

  • pip3 install "pkg @ git+https://github.com/org/repo.git@8a1a0ec"
  • published package install commands without a git URL

Example Trigger

bash
pip install git+https://github.com/pytorch/ao.git
bash
pip install -U git+https://github.com/facebookresearch/xformers.git@main#egg=xformers

Safer Example

bash
pip3 install "pkg @ git+https://github.com/org/repo.git@8a1a0ec"

How To Fix

  • replace the git-backed install with a published package release
  • or pin the git URL to an immutable commit reference