lintai docs

Appearance

Rule Reference

SEC648lintai-ai-securitystablejsonwarn

Plugin hook: authorized_keys write

Plugin hook command writes to SSH authorized_keys

Provider
lintai-ai-security
Surface
json
Scope
per_file
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

basemembership
mcpmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks committed plugin hook command values for explicit writes to SSH `authorized_keys`.

Deterministic signal basis

JsonSignals command-string analysis over ArtifactKind::CursorPluginHooks using redirection-or-tee targeting of `authorized_keys`.

Malicious corpus
plugin-hook-command-persistence-escalation
Benign corpus
plugin-hook-command-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC301MCP config: shell trampolineMCP configuration shells out through sh -c or bash -cjsonstable
SEC302Config: insecure HTTP endpointConfiguration contains an insecure http:// endpointjsonstable
SEC303MCP config: credential env passthroughMCP configuration passes through credential environment variablesjsonstable
SEC304Config: TLS verification disabledConfiguration disables TLS or certificate verificationjsonstable
SEC305Config: hardcoded auth materialConfiguration embeds static authentication material in a connection or auth valuejsonstable
SEC309Config: literal secrets in configConfiguration commits literal secret material in env, auth, or header valuesjsonstable

Why It Matters

Writing to authorized_keys from a plugin hook can grant persistent SSH access to the machine where the plugin runs.

What Triggers

SEC648 matches plugin hook command strings that write to an authorized_keys target through redirection or tee.

False Positives

Machine bootstrap plugins may manage SSH keys intentionally, but that remains a sensitive access-control change that should not happen silently in ordinary plugin hooks.

Remediation

Remove the authorized_keys write from the plugin hook. Handle SSH key provisioning in a separate reviewed administrative workflow instead.