Native Linear

Security checks across malware telemetry and agentic risk

Overview

This skill transparently connects to Linear to read, create, and update issues, with no evidence of hidden data sharing or persistence.

Install only if you are comfortable giving the skill a Linear API key. Prefer a least-privileged key where possible, and review create or update actions before allowing an agent to run them in an important workspace.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The create command performs a real remote state-changing operation against Linear without any confirmation, dry-run mode, or explicit user warning at execution time. In an agent setting, this increases the risk of accidental or prompt-induced ticket creation, causing workflow spam, data integrity issues, or unintended disclosure of sensitive text into Linear.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The update command modifies existing Linear issues immediately once invoked, with no confirmation or safeguard against unintended changes. In an agent context, malformed instructions or prompt injection could cause unauthorized workflow changes, incorrect issue states, or overwrite titles/descriptions with unreviewed content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal