Security audit

Linear Todos

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Linear todo CLI that stores credentials only if setup is run and only talks to Linear, with no evidence of hidden exfiltration or automatic persistence.

Install only if you are comfortable giving a source-executed CLI a Linear API key that can create and update issues. Prefer setting LINEAR_API_KEY instead of running setup, or use a dedicated revocable Linear token if you want the config-file convenience.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill is explicitly source-executing and its metadata declares required env/config, but it does not declare permissions despite clearly needing environment access, file read/write, network access, and shell execution. This weakens sandboxing and user consent because a reviewer may underestimate the operational capabilities of the skill before running it.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 84% confidence
Finding: The top-level description understates behavior by framing the skill mainly as creating todos, while the document also describes listing issues, updating workflow state, snoozing tasks, interactive setup, local file access, and reading nearby USER.md for timezone inference. Description/behavior mismatch is dangerous because it can mislead reviewers about data access, mutation scope, and persistence behavior.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The code traverses parent directories and reads a workspace-level USER.md file to infer timezone, which is data access unrelated to the core task of managing Linear todos. Even though it only extracts timezone and does not exfiltrate data here, this expands the skill's access surface to user profile/workspace files without explicit user consent, creating a privacy and trust boundary violation.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: When no configured timezone is present, the skill silently reads timezone information from USER.md with no user-facing disclosure in this file. In a source-execution skill, undisclosed reads of workspace files are risky because users may not expect a todo tool to inspect broader profile documents, even for seemingly harmless metadata.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The setup wizard saves the Linear API key via config.save(), and the UI does not present an explicit warning at the moment of persistence that the secret may be written to disk in plaintext. Storing long-lived API credentials locally increases exposure to local compromise, backups, accidental disclosure, or overly permissive file permissions. In this skill context, the risk is real because the tool is specifically handling an API token for a third-party service, though it appears to be convenience-driven rather than malicious.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.