Rule Reference

SEC447lintai-ai-securitystablemarkdownwarn

AI markdown: package installation tool grant

AI-native markdown frontmatter grants package installation authority

Provider: lintai-ai-security
Surface: markdown
Scope: per_file
Tier: stable
Severity: warn
Confidence: high
Detection: structural
Remediation: message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership

skillsmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks AI-native frontmatter for shared package-install grants in allowed-tools policy.

Deterministic signal basis

MarkdownSignals exact frontmatter token detection for package-install permissions such as `Bash(pip install)` and `Bash(npm install)` inside allowed-tools or allowed_tools.

Malicious corpus

skill-package-install-allowed-tools

Benign corpus

skill-package-command-allowed-tools-safe

structured evidence required remediation reviewed

Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC352AI markdown: unscoped Bash tool grantAI-native markdown frontmatter grants unscoped Bash tool accessmarkdownstable

SEC417AI markdown: unpinned pip git installAI-native markdown installs Python packages from an unpinned `git+https://` sourcemarkdownstable

SEC428AI markdown: unsafe Read path grantAI-native markdown frontmatter grants `Read(...)` over an unsafe repo-external pathmarkdownstable

SEC429AI markdown: unsafe Write path grantAI-native markdown frontmatter grants `Write(...)` over an unsafe repo-external pathmarkdownstable

SEC430AI markdown: unsafe Edit path grantAI-native markdown frontmatter grants `Edit(...)` over an unsafe repo-external pathmarkdownstable

SEC431AI markdown: unsafe Glob path grantAI-native markdown frontmatter grants `Glob(...)` over an unsafe repo-external pathmarkdownstable

SEC447 / MD-PACKAGE-INSTALL-ALLOWED-TOOLS

SEC447 flags AI-native markdown frontmatter when allowed-tools grants exact package-install authority such as Bash(pip install) or Bash(npm install).

Why It Matters

Shared package-install authority turns dependency mutation into default team policy. In AI-native instruction files, that makes supply-chain changes easy to cargo-cult without a reviewed install workflow.

Trigger Shape

The rule triggers only when all of these are true:

the file is an AI-native markdown instruction surface with parsed frontmatter
the path is not fixture-like
allowed-tools or allowed_tools contains one of these exact tokens:
- Bash(pip install)
- Bash(pip3 install)
- Bash(python -m pip install)
- Bash(yarn install)
- Bash(npm install)
- Bash(pnpm install)
- Bash(bun install)

Clean Cases

These stay clean:

more specific non-install commands such as Bash(pip cache purge)
frontmatter that does not grant package installation
fixture-like examples under test or fixture paths

Example Trigger

---
allowed-tools:
  - Bash(pip install)
  - Read
---

Safer Example

---
allowed-tools:
  - Bash(pip cache purge)
  - Read
---

How To Fix

Replace shared package-install authority with a narrower reviewed workflow, or remove install privileges from shared frontmatter entirely.

AI markdown: package installation tool grant

Preset Membership

Stable Lifecycle Contract

Related Rules

SEC447 / MD-PACKAGE-INSTALL-ALLOWED-TOOLS ​

Why It Matters ​

Trigger Shape ​

Clean Cases ​

Example Trigger ​

Safer Example ​

How To Fix ​