Security audit

Linear

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Linear integration that uses your Linear API key to read and update Linear issues through the official API.

Install this only if you want your agent to access Linear using your API key and potentially modify issues. Use the least-privileged Linear token available, ask the agent to confirm write actions before running them, and set LINEAR_TEAMS_CACHE to a private path if cached team metadata is sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill invokes shell commands but does not declare any permissions or execution scope, which creates a trust and containment gap. In an agent environment, undocumented shell capability can lead to unintended command execution, access to local files or environment variables such as LINEAR_API_KEY, and broader system interaction than users expect.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.