Rule Reference

SEC505lintai-ai-securitystablemarkdownwarn

AI markdown: shared gh api POST tool grant

AI-native markdown frontmatter grants `Bash(gh api --method POST:*)` tool access

Provider: lintai-ai-security
Surface: markdown
Scope: per_file
Tier: stable
Severity: warn
Confidence: high
Detection: structural
Remediation: message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

governancemembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks AI-native markdown frontmatter for exact GitHub API POST mutation authority through `allowed-tools`.

Deterministic signal basis

MarkdownSignals exact frontmatter string detection for `Bash(gh api --method POST:*)` in allowed-tools entries.

Malicious corpus

skill-gh-mutation-allowed-tools

Benign corpus

skill-gh-mutation-specific-safe

structured evidence required remediation reviewed

Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC423AI markdown: bare Read tool grantAI-native markdown frontmatter grants bare `Read` tool accessmarkdownstable

SEC424AI markdown: bare Write tool grantAI-native markdown frontmatter grants bare `Write` tool accessmarkdownstable

SEC425AI markdown: bare Edit tool grantAI-native markdown frontmatter grants bare `Edit` tool accessmarkdownstable

SEC426AI markdown: bare Glob tool grantAI-native markdown frontmatter grants bare `Glob` tool accessmarkdownstable

SEC427AI markdown: bare Grep tool grantAI-native markdown frontmatter grants bare `Grep` tool accessmarkdownstable

SEC506AI markdown: shared gh issue create tool grantAI-native markdown frontmatter grants `Bash(gh issue create:*)` tool accessmarkdownstable

SEC505 / MD-GH-API-POST-ALLOWED-TOOLS

SEC505 flags AI-native markdown frontmatter when allowed-tools grants the exact token Bash(gh api --method POST:*).

Why It Matters

gh api --method POST is a broad GitHub mutation path. Shared frontmatter should not quietly make remote POST mutations a default capability for every agent that loads the file.

Trigger Shape

The rule triggers only when all of these are true:

the file is an AI-native markdown instruction surface
the path is not fixture-like
allowed-tools or allowed_tools contains the exact token Bash(gh api --method POST:*)

Clean Cases

These stay clean:

more specific read-only API commands such as Bash(gh api --method GET:*)
frontmatter without Bash(gh api --method POST:*)
fixture-like examples under test or fixture paths

Example Trigger

yaml

allowed-tools:
  - Bash(gh api --method POST:*)
  - Read

Safer Example

yaml

allowed-tools:
  - Bash(gh api --method GET:*)
  - Read

How To Fix

Replace Bash(gh api --method POST:*) with a narrower reviewed command, or remove shared GitHub mutation authority from the frontmatter entirely.

AI markdown: shared gh api POST tool grant

Preset Membership

Stable Lifecycle Contract

Related Rules

SEC505 / MD-GH-API-POST-ALLOWED-TOOLS ​

Why It Matters ​

Trigger Shape ​

Clean Cases ​

Example Trigger ​

Safer Example ​

How To Fix ​