Back to skill

Security audit

Linear

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Linear integration that uses a local API key and official SDK to read and update Linear work items.

Install only if you are comfortable giving this local CLI a Linear API key with the permissions that token has. Use a dedicated least-privilege Linear token, review issue/project IDs before mutations, avoid placing secrets in Linear comments or descriptions, and keep npm dependency updates controlled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill requires access to a sensitive environment variable (`LINEAR_API_KEY`) and executes a bundled Node CLI, but the skill file does not declare an explicit permissions model beyond metadata requirements. That gap can cause agents or users to invoke code with credential access without clear least-privilege boundaries or consent semantics, increasing the chance of unintended secret exposure or misuse.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"version": "1.0.0",
  "private": true,
  "dependencies": {
    "@linear/sdk": "^71.0.0"
  }
}
Confidence
94% confidence
Finding
"@linear/sdk": "^71.0.0"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.