Rule Reference

SEC434lintai-ai-securitystablemarkdownwarn

AI markdown: raw.githubusercontent.com WebFetch grant

AI-native markdown frontmatter grants `WebFetch(domain:raw.githubusercontent.com)` authority

Provider: lintai-ai-security
Surface: markdown
Scope: per_file
Tier: stable
Severity: warn
Confidence: high
Detection: structural
Remediation: message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership

skillsmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks AI-native frontmatter for explicit raw GitHub content fetch grants in shared allowed-tools policy.

Deterministic signal basis

MarkdownSignals exact frontmatter token detection for `WebFetch(domain:raw.githubusercontent.com)` inside allowed-tools or allowed_tools.

Malicious corpus

skill-webfetch-raw-github-allowed-tools

Benign corpus

skill-webfetch-raw-github-allowed-tools-specific-safe

structured evidence required remediation reviewed

Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC352AI markdown: unscoped Bash tool grantAI-native markdown frontmatter grants unscoped Bash tool accessmarkdownstable

SEC417AI markdown: unpinned pip git installAI-native markdown installs Python packages from an unpinned `git+https://` sourcemarkdownstable

SEC428AI markdown: unsafe Read path grantAI-native markdown frontmatter grants `Read(...)` over an unsafe repo-external pathmarkdownstable

SEC429AI markdown: unsafe Write path grantAI-native markdown frontmatter grants `Write(...)` over an unsafe repo-external pathmarkdownstable

SEC430AI markdown: unsafe Edit path grantAI-native markdown frontmatter grants `Edit(...)` over an unsafe repo-external pathmarkdownstable

SEC431AI markdown: unsafe Glob path grantAI-native markdown frontmatter grants `Glob(...)` over an unsafe repo-external pathmarkdownstable

SEC434 / MD-WEBFETCH-RAW-GITHUB

SEC434 flags AI-native markdown frontmatter when allowed-tools grants the exact token WebFetch(domain:raw.githubusercontent.com).

Why It Matters

raw.githubusercontent.com serves direct repository file contents. Granting that fetch target in shared AI instruction frontmatter makes mutable remote code and prompt content easier to ingest outside the normal repository review path.

Trigger Shape

The rule triggers only when all of these are true:

the file is an AI-native markdown instruction surface with parsed frontmatter
the path is not fixture-like
allowed-tools or allowed_tools contains the exact token WebFetch(domain:raw.githubusercontent.com)

Clean Cases

These stay clean:

narrower reviewed domains such as WebFetch(domain:github.com)
frontmatter that does not grant raw GitHub fetches
fixture-like examples under test or fixture paths

Example Trigger

---
allowed-tools:
  - WebFetch(domain:raw.githubusercontent.com)
  - Read
---

Safer Example

---
allowed-tools:
  - WebFetch(domain:github.com)
  - Read
---

How To Fix

Replace WebFetch(domain:raw.githubusercontent.com) with a narrower reviewed documentation host, or remove broad raw GitHub fetch authority from shared frontmatter entirely.

AI markdown: raw.githubusercontent.com WebFetch grant

Preset Membership

Stable Lifecycle Contract

Related Rules

SEC434 / MD-WEBFETCH-RAW-GITHUB ​

Why It Matters ​

Trigger Shape ​

Clean Cases ​

Example Trigger ​

Safer Example ​

How To Fix ​