mdpact

tools/unknown-tool

severity: warningcategory: toolsfixable: no

A backticked tool is referenced but not in the declared allowed list.

tools/unknown-tool

Severity: warning Category: tools Fixable: no

What it catches

A backticked command (e.g. `docker push`) that matches the rule's detection list but isn't in the project's allowed list. Default: detects common CLIs, flags any not explicitly allowed.

Why it matters

A rule that says "use docker push" assumes the agent has Docker available and has policy to run it. If Docker isn't part of the declared toolset, the agent will either refuse at the wrong moment or — worse — succeed in a way that wasn't approved. Declare the tools you want the agent to use.

Options

Example — bad (default detect list, empty allowed)

- Run `docker push` to publish the image.

Example — good

- Run `gh pr create` to open the PR.

with ruleOptions: { "tools/unknown-tool": { allowed: ["gh"] } } in your config.

good.md
---
version: 1
owner: team
---

# Spec

- When you need to open a PR, run `gh pr create`.
bad.md
---
version: 1
owner: team
---

# Spec

- When you need to publish, run `docker push` — requires cluster access.