lintai docs

Appearance

Rule Reference

SEC684lintai-ai-securitystablejsonwarn

MCP config: sensitive file exfiltration

MCP configuration command transfers a sensitive credential file to a remote destination

Provider
lintai-ai-security
Surface
json
Scope
per_file
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

basemembership
mcpmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks committed MCP launch paths for explicit transfer of sensitive credential files to remote destinations.

Deterministic signal basis

JsonSignals command-plus-args analysis over ArtifactKind::McpConfig for sensitive file paths such as `.env`, `.aws/credentials`, `.ssh/id_rsa`, or `.kube/config` combined with transfer commands like `scp`, `sftp`, `rsync`, `curl`, `aws s3 cp`, `gsutil cp`, or `rclone copy`.

Malicious corpus
mcp-command-sensitive-file-exfilmcp-command-sensitive-file-rclone-exfil
Benign corpus
mcp-safe-basic
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC301MCP config: shell trampolineMCP configuration shells out through sh -c or bash -cjsonstable
SEC302Config: insecure HTTP endpointConfiguration contains an insecure http:// endpointjsonstable
SEC303MCP config: credential env passthroughMCP configuration passes through credential environment variablesjsonstable
SEC304Config: TLS verification disabledConfiguration disables TLS or certificate verificationjsonstable
SEC305Config: hardcoded auth materialConfiguration embeds static authentication material in a connection or auth valuejsonstable
SEC309Config: literal secrets in configConfiguration commits literal secret material in env, auth, or header valuesjsonstable

Why It Matters

Committed MCP launch paths should not upload local credential files or secret-bearing config files to remote buckets, endpoints, or hosts.

What Triggers

SEC684 matches MCP command and args combinations that pair sensitive file paths like .env, ~/.aws/credentials, ~/.ssh/id_rsa, or ~/.kube/config with transfer commands such as scp, rsync, curl --upload-file, aws s3 cp, or gsutil cp.

False Positives

If a server genuinely needs a credential file, it should read it locally on the host where it runs. Shipping a launcher that uploads the file elsewhere is a distinct and risky behavior.

Remediation

Remove the remote transfer of sensitive credential files from the committed MCP launch path and keep credential files local to the trusted runtime.