lintai docs

Appearance

Rule Reference

SEC474lintai-ai-securitypreviewmarkdownwarn

AI markdown: shared gh pr tool grant

AI-native markdown frontmatter grants `Bash(gh pr:*)` tool access

Provider
lintai-ai-security
Surface
markdown
Scope
per_file
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

governancemembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks AI-native markdown frontmatter for exact GitHub pull-request authority through `allowed-tools`.

Deterministic signal basis

MarkdownSignals exact frontmatter string detection for `Bash(gh pr:*)` in allowed-tools entries.

Malicious corpus
skill-gh-pr-allowed-tools
Benign corpus
skill-gh-pr-allowed-tools-specific-safe
structured evidence required remediation reviewed
Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC390AI markdown: shared git push tool grantAI-native markdown frontmatter grants `Bash(git push)` tool accessmarkdownpreview
SEC391AI markdown: shared git checkout tool grantAI-native markdown frontmatter grants `Bash(git checkout:*)` tool accessmarkdownpreview
SEC392AI markdown: shared git commit tool grantAI-native markdown frontmatter grants `Bash(git commit:*)` tool accessmarkdownpreview
SEC393AI markdown: shared git stash tool grantAI-native markdown frontmatter grants `Bash(git stash:*)` tool accessmarkdownpreview
SEC494AI markdown: shared npm exec tool grantAI-native markdown frontmatter grants `Bash(npm exec:*)` tool accessmarkdownpreview
SEC495AI markdown: shared bunx tool grantAI-native markdown frontmatter grants `Bash(bunx:*)` tool accessmarkdownpreview

SEC474 / MD-GH-PR-PERMISSION

SEC474 flags AI-native markdown frontmatter when allowed-tools or allowed_tools grants the exact token Bash(gh pr:*).

Why It Matters

gh pr:* bundles broad pull-request operations behind one shared permission token. Granting it directly in shared instruction frontmatter makes remote PR authority part of the default workflow instead of a narrower reviewed action.

This rule intentionally lives in the opt-in governance preset rather than the main preview lane. A shared skill may legitimately document a PR workflow, but repo-wide gh pr authority still deserves explicit review instead of reading like a headline vulnerability finding.

Trigger Shape

The rule triggers only when all of these are true:

  • the file is a detected AI-native markdown instruction surface
  • the path is not fixture-like
  • allowed-tools or allowed_tools contains the exact token Bash(gh pr:*)

Clean Cases

These stay clean:

  • more specific command examples such as Bash(gh pr diff:*)
  • unrelated GitHub CLI permissions like Bash(gh repo view)
  • fixture-like examples under test or fixture paths

Example Trigger

yaml
---
allowed-tools: Bash(gh pr:*), Read
---

Safer Example

yaml
---
allowed-tools: Bash(gh pr diff:*), Read
---

How To Fix

Review whether shared Bash(gh pr:*) access is really needed, or replace it with a narrower workflow-specific permission that does not grant blanket pull-request authority by default.