ClawHub

Linear Issues

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Linear integration, but it should be reviewed because it can change real workspace data and builds Linear API requests from unescaped user text.

Review before installing. Use the narrowest Linear API key available, avoid passing untrusted text into create/update/comment/search commands, and confirm any action that creates issues, changes status or assignee, or posts comments because those changes affect the real Linear workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs the agent to invoke a shell script (`scripts/linear.sh`) and handle a credential file, but it does not declare any permissions despite clearly requiring shell execution. This creates a trust and containment gap: an orchestration system may expose shell capability implicitly, allowing command execution and access to local secrets without an explicit permission boundary or user awareness.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README advertises creating, updating, and commenting on Linear issues but does not clearly warn that these operations perform live writes to an external project-management system. In an agent skill context, this increases the risk of unintended state changes, spam, workflow disruption, or accidental disclosure through comments because users may assume actions are informational rather than mutating.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal