critical
suspicious.exposed_secret_literal
- Location
- scripts/init-mcporter.sh:91
- Finding
- File appears to expose a hardcoded API secret or token.
Maverick Linear Mcp
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If used on an ambiguous or mistaken request, the agent could create, update, or delete team-visible Linear data.
Why it was flagged
The skill intentionally exposes Linear’s live MCP tool catalog, including mutation tools. This is disclosed and purpose-aligned, and the instructions require clear user intent for writes/deletes.
Skill content
Call any tool from the catalog ... Write/delete tools (`save_*`, `delete_*`, `create_*`) modify workspace data visible to the user's team — confirm clear user intent before invoking them.
Recommendation
Use clear requests for write actions, review tool names and arguments, and require explicit confirmation before create/update/delete operations.
What this means
The skill can act with the permissions granted to the Linear OAuth integration.
Why it was flagged
The skill uses delegated OAuth credentials and persists them in mcporter’s vault so it can act against the user’s Linear workspace.
Skill content
Credentials are available to the agent runtime through required env vars. The wrapper seeds mcporter's vault as needed before each call. mcporter then reads tokens from the vault, sends them with each request, and refreshes them on expiry.
Recommendation
Authorize only the intended Linear workspace, use the least-privileged grant available, and revoke or rotate the OAuth grant if the skill is no longer needed.
What this means
Installation trust depends on the current mcporter package resolved by the package manager.
Why it was flagged
The install mechanism depends on an external Node package and the artifact does not pin a specific version.
Skill content
node | package: mcporter | creates binaries: mcporter
Recommendation
Install from the expected package source and prefer a pinned or reviewed mcporter version in controlled environments.
What this means
Linear receives the issue, project, comment, and other workspace data referenced in tool calls.
Why it was flagged
The skill sends OAuth-authenticated MCP calls to Linear’s hosted endpoint; this external data flow is disclosed and matches the stated purpose.
Skill content
"baseUrl": "https://mcp.linear.app/mcp", "transport": "http", "auth": "oauth"
Recommendation
Use the skill only for Linear-related work and avoid sending unrelated sensitive content through Linear MCP tools.