Linear 1.0.0

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Linear helper that reads and updates Linear work items using a user-provided API key, with one low-risk local cache hardening issue.

Install only if you are comfortable giving the agent the permissions attached to your Linear API key. Use the least-privileged key available, require explicit approval for create/comment/status/priority/assign commands, and set LINEAR_TEAMS_CACHE to a private path on shared systems.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 93% confidence
Finding: The script caches team metadata in /tmp using a predictable filename derived from the API key checksum and does so without setting restrictive permissions or validating the target path. On multi-user systems, this can expose organizational team information to other local users and creates symlink/race-file risks if an attacker can pre-create or replace the cache path.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal