Rule Reference

SEC426lintai-ai-securitystablemarkdownwarn

AI markdown: bare Glob tool grant

AI-native markdown frontmatter grants bare `Glob` tool access

Provider: lintai-ai-security
Surface: markdown
Scope: per_file
Tier: stable
Severity: warn
Confidence: high
Detection: structural
Remediation: message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

governancemembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks AI-native frontmatter for bare Glob grants that omit a reviewed repo-local discovery scope.

Deterministic signal basis

MarkdownSignals exact frontmatter token detection for bare `Glob` inside allowed-tools or allowed_tools.

Malicious corpus

skill-unscoped-glob-allowed-tools

Benign corpus

skill-unscoped-glob-allowed-tools-specific-safe

structured evidence required remediation reviewed

Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC423AI markdown: bare Read tool grantAI-native markdown frontmatter grants bare `Read` tool accessmarkdownstable

SEC424AI markdown: bare Write tool grantAI-native markdown frontmatter grants bare `Write` tool accessmarkdownstable

SEC425AI markdown: bare Edit tool grantAI-native markdown frontmatter grants bare `Edit` tool accessmarkdownstable

SEC427AI markdown: bare Grep tool grantAI-native markdown frontmatter grants bare `Grep` tool accessmarkdownstable

SEC505AI markdown: shared gh api POST tool grantAI-native markdown frontmatter grants `Bash(gh api --method POST:*)` tool accessmarkdownstable

SEC506AI markdown: shared gh issue create tool grantAI-native markdown frontmatter grants `Bash(gh issue create:*)` tool accessmarkdownstable

SEC426 / MD-GLOB-UNSCOPED

SEC426 flags AI-native markdown frontmatter when allowed-tools or allowed_tools grants bare Glob.

This rule intentionally lives in the opt-in governance preset. Shared skills often need discovery capabilities, but repo-wide default glob authority is a policy choice that deserves explicit review rather than headline security treatment.

Why It Matters

Bare Glob is a broad file-discovery grant. In shared skills and instruction files, it turns open-ended repository enumeration into default policy instead of a narrower reviewed glob scope.

Trigger Shape

AI-native markdown surface with parsed frontmatter
path is not fixture-like
allowed-tools or allowed_tools contains the exact token Glob

Clean Cases

scoped patterns such as Glob(./docs/**)
frontmatter that does not grant bare Glob
fixture-like examples under test or fixture paths

Example Trigger

---
allowed-tools: Glob, Read(./docs/**)
---

Safer Example

---
allowed-tools: Glob(./docs/**), Read(./docs/**)
---

How To Fix

Review whether shared bare Glob authority is really needed, or replace it with narrower workflow-specific discovery patterns instead of a default repo-wide grant.

AI markdown: bare Glob tool grant

Preset Membership

Stable Lifecycle Contract

Related Rules

SEC426 / MD-GLOB-UNSCOPED ​

Why It Matters ​

Trigger Shape ​

Clean Cases ​

Example Trigger ​

Safer Example ​

How To Fix ​