Security audit

Linear Native Node

Security checks across malware telemetry and agentic risk

Overview

This is a narrow Tavily web-search helper that requires a Tavily API key and sends user queries to Tavily, with no hidden persistence or destructive behavior found.

Install only if you are comfortable providing a Tavily API key and sending search queries to Tavily. Do not use it for secrets, private client data, internal hostnames, incident details, or confidential research unless you intentionally approve that disclosure.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical

Code: suspicious.env_credential_access
Location: scripts/linear.mjs:35