Back to skill

Security audit

Linear

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Linear integration that uses your Linear API key to read and update Linear issues through the official API.

Install this only if you want your agent to access Linear using your API key and potentially modify issues. Use the least-privileged Linear token available, ask the agent to confirm write actions before running them, and set LINEAR_TEAMS_CACHE to a private path if cached team metadata is sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes shell commands but does not declare any permissions or execution scope, which creates a trust and containment gap. In an agent environment, undocumented shell capability can lead to unintended command execution, access to local files or environment variables such as LINEAR_API_KEY, and broader system interaction than users expect.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.