Rule Reference

SEC448lintai-ai-securitystablemarkdownwarn

AI markdown: pip trusted-host

AI-native markdown installs Python packages with `--trusted-host`

Provider: lintai-ai-security
Surface: markdown
Scope: per_file
Tier: stable
Severity: warn
Confidence: high
Detection: structural
Remediation: message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership

skillsmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks AI-native markdown for `pip install` examples that disable host trust checks with `--trusted-host`.

Deterministic signal basis

MarkdownSignals exact `pip install` token analysis with `--trusted-host` detection inside parsed markdown regions.

Malicious corpus

skill-pip-trusted-host

Benign corpus

skill-pip-index-url-safe

structured evidence required remediation reviewed

Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC352AI markdown: unscoped Bash tool grantAI-native markdown frontmatter grants unscoped Bash tool accessmarkdownstable

SEC417AI markdown: unpinned pip git installAI-native markdown installs Python packages from an unpinned `git+https://` sourcemarkdownstable

SEC428AI markdown: unsafe Read path grantAI-native markdown frontmatter grants `Read(...)` over an unsafe repo-external pathmarkdownstable

SEC429AI markdown: unsafe Write path grantAI-native markdown frontmatter grants `Write(...)` over an unsafe repo-external pathmarkdownstable

SEC430AI markdown: unsafe Edit path grantAI-native markdown frontmatter grants `Edit(...)` over an unsafe repo-external pathmarkdownstable

SEC431AI markdown: unsafe Glob path grantAI-native markdown frontmatter grants `Glob(...)` over an unsafe repo-external pathmarkdownstable

SEC448 / MD-PIP-TRUSTED-HOST

SEC448 flags AI-native markdown when a pip install example uses the exact --trusted-host option.

Why It Matters

--trusted-host weakens the normal trust model for Python package retrieval. In shared AI-native instructions, that turns a risky supply-chain workaround into copy-pastable team guidance.

Trigger Shape

The rule triggers only when all of these are true:

the file is an AI-native markdown instruction surface
a parsed markdown region contains pip install, pip3 install, or python -m pip install
the same region also contains the exact token --trusted-host

Clean Cases

These stay clean:

pip install examples without --trusted-host
examples that use a normal HTTPS index URL
unrelated commands that mention --trusted-host without pip install

Example Trigger

bash

pip install --trusted-host pypi.example.test demo

Safer Example

bash

pip install --index-url https://pypi.example.test/simple demo

How To Fix

Remove --trusted-host and use a normal TLS-verified Python package source instead.

AI markdown: pip trusted-host

Preset Membership

Stable Lifecycle Contract

Related Rules

SEC448 / MD-PIP-TRUSTED-HOST ​

Why It Matters ​

Trigger Shape ​

Clean Cases ​

Example Trigger ​

Safer Example ​

How To Fix ​