lintai docs

Appearance

Rule Reference

SEC462lintai-ai-securitystablemarkdownwarn

AI markdown: network TLS bypass

AI-native markdown disables TLS verification for a network-capable command

Provider
lintai-ai-security
Surface
markdown
Scope
per_file
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership
skillsmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks AI-native markdown for exact network-command examples that disable TLS verification, including PowerShell certificate-bypass forms.

Deterministic signal basis

MarkdownSignals exact command-token analysis with `--insecure`, `-k`, `--no-check-certificate`, `-SkipCertificateCheck`, or `NODE_TLS_REJECT_UNAUTHORIZED=0` detection inside parsed markdown regions, with safety-guidance suppression.

Malicious corpus
skill-markdown-network-tls-bypassskill-markdown-network-tls-bypass-powershell
Benign corpus
skill-markdown-network-tls-bypass-warning-safeskill-markdown-network-tls-bypass-powershell-warning-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC352AI markdown: unscoped Bash tool grantAI-native markdown frontmatter grants unscoped Bash tool accessmarkdownstable
SEC417AI markdown: unpinned pip git installAI-native markdown installs Python packages from an unpinned `git+https://` sourcemarkdownstable
SEC428AI markdown: unsafe Read path grantAI-native markdown frontmatter grants `Read(...)` over an unsafe repo-external pathmarkdownstable
SEC429AI markdown: unsafe Write path grantAI-native markdown frontmatter grants `Write(...)` over an unsafe repo-external pathmarkdownstable
SEC430AI markdown: unsafe Edit path grantAI-native markdown frontmatter grants `Edit(...)` over an unsafe repo-external pathmarkdownstable
SEC431AI markdown: unsafe Glob path grantAI-native markdown frontmatter grants `Glob(...)` over an unsafe repo-external pathmarkdownstable

SEC462 / MD-NETWORK-TLS-BYPASS

SEC462 flags AI-native markdown when a network-capable command example disables TLS verification with --insecure, -k, --no-check-certificate, -SkipCertificateCheck, or NODE_TLS_REJECT_UNAUTHORIZED=0.

Why It Matters

Disabling TLS verification removes normal certificate checks from a network fetch. In shared AI-native instructions, that turns a transport-bypass into copy-pastable setup guidance.

Positioning

SEC462 is structurally strong, but still context-sensitive in practice. Security training, lab, and internal bootstrap docs can intentionally show TLS-bypass examples, so the finding is best read as a transport-hardening signal, not as proof of malicious intent.

What Triggers It

  • AI-native markdown surface
  • the same parsed markdown region contains a network-capable command example such as:
    • curl
    • wget
    • or a request using http:// / https://
  • the same region also contains one of:
    • --insecure
    • -k
    • --no-check-certificate
    • -SkipCertificateCheck
    • NODE_TLS_REJECT_UNAUTHORIZED=0

The finding points to the TLS-bypass token itself.

What Does Not Trigger It

  • normal verified curl or wget examples without TLS bypass
  • normal verified Invoke-WebRequest or Invoke-RestMethod examples without TLS bypass
  • safety-oriented guidance such as Do not use curl --insecure ...
  • unrelated prose that mentions TLS without a matching network command

Example

Bad:

bash
curl --insecure https://internal.example.test/bootstrap.sh -o bootstrap.sh
powershell
Invoke-WebRequest https://internal.example.test/bootstrap.ps1 -SkipCertificateCheck

Better:

bash
curl https://internal.example.test/bootstrap.sh -o bootstrap.sh
powershell
Invoke-WebRequest https://internal.example.test/bootstrap.ps1

Remediation

Remove the TLS-bypass flag or env override and keep normal certificate verification enabled for the network command.