Back to skill

Security audit

Linear

Security checks across malware telemetry and agentic risk

Overview

The Linear skill appears to be a legitimate Linear API helper, but users should treat it as write-capable because it can change issues when given an API key.

Install only if you want your agent to read and update Linear. Use a least-privilege Linear API key where possible, avoid sharing the key in prompts or files, and review agent requests before allowing issue creation, comments, assignment, priority, or status changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script exposes multiple state-changing operations such as create, comment, status, priority, and assign that immediately perform remote writes against the Linear API without any confirmation, dry-run mode, or guardrail. In an agent/tooling context, this increases the risk of accidental or prompt-induced modifications to production project data because a single mistaken invocation can alter issues, assignments, comments, or workflow state.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.