Rule Reference

SEC495lintai-ai-securitypreviewmarkdownwarn

AI markdown: shared bunx tool grant

AI-native markdown frontmatter grants `Bash(bunx:*)` tool access

Provider: lintai-ai-security
Surface: markdown
Scope: per_file
Tier: preview
Severity: warn
Confidence: high
Detection: structural
Remediation: message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

governancemembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks AI-native markdown frontmatter for exact mutable `bunx` authority through `allowed-tools`.

Deterministic signal basis

MarkdownSignals exact frontmatter string detection for `Bash(bunx:*)` in allowed-tools entries.

Malicious corpus

skill-npm-exec-bunx-allowed-tools

Benign corpus

skill-npm-exec-bunx-specific-safe

structured evidence required remediation reviewed

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC390AI markdown: shared git push tool grantAI-native markdown frontmatter grants `Bash(git push)` tool accessmarkdownpreview

SEC391AI markdown: shared git checkout tool grantAI-native markdown frontmatter grants `Bash(git checkout:*)` tool accessmarkdownpreview

SEC392AI markdown: shared git commit tool grantAI-native markdown frontmatter grants `Bash(git commit:*)` tool accessmarkdownpreview

SEC393AI markdown: shared git stash tool grantAI-native markdown frontmatter grants `Bash(git stash:*)` tool accessmarkdownpreview

SEC474AI markdown: shared gh pr tool grantAI-native markdown frontmatter grants `Bash(gh pr:*)` tool accessmarkdownpreview

SEC494AI markdown: shared npm exec tool grantAI-native markdown frontmatter grants `Bash(npm exec:*)` tool accessmarkdownpreview

SEC495 / MD-BUNX-ALLOWED-TOOLS

SEC495 flags AI-native markdown frontmatter when allowed-tools grants the exact token Bash(bunx:*).

Why It Matters

bunx resolves and executes packages through a mutable runner path. Shared frontmatter should not quietly make that a default team capability.

Trigger Shape

The rule triggers only when all of these are true:

the file is an AI-native markdown instruction surface
the path is not fixture-like
allowed-tools or allowed_tools contains the exact token Bash(bunx:*)

Clean Cases

These stay clean:

more specific project commands such as Bash(bun run lint)
frontmatter without Bash(bunx:*)
fixture-like examples under test or fixture paths

Example Trigger

yaml

allowed-tools:
  - Bash(bunx:*)
  - Read

Safer Example

yaml

allowed-tools:
  - Bash(bun run lint)
  - Read

How To Fix

Replace Bash(bunx:*) with a narrower reviewed command, or remove shared mutable package-execution authority from the frontmatter entirely.

AI markdown: shared bunx tool grant

Preset Membership

Stable Lifecycle Contract

Related Rules

SEC495 / MD-BUNX-ALLOWED-TOOLS ​

Why It Matters ​

Trigger Shape ​

Clean Cases ​

Example Trigger ​

Safer Example ​

How To Fix ​