Back to skill

Security audit

Linear Autopilot

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Linear-to-Discord automation skill, but it can let external task events drive agent work, Linear updates, Discord messages, and git pushes without enough approval and secret-handling guardrails.

Review before installing. Use dedicated low-privilege Linear and Discord credentials, treat webhook URLs and bot tokens as secrets, keep the automation in a private low-risk Discord channel, require human review before running tasks or pushing git commits, and know how to disable the Make.com/Pipedream/Zapier workflow quickly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill instructs use of shell commands and operational scripts but does not declare corresponding permissions, which weakens consent and review boundaries for potentially state-changing actions. In this context, the shell capability is used for credential file creation, Linear status updates, and git operations, so undeclared execution capability can surprise users and bypass expected safety gating.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior promises broad automation across Discord, webhooks, Clawdbot triggering, and git sync, but the implemented content only covers limited Linear-related shell/script interactions. This mismatch can mislead users into granting trust or permissions under the assumption of a controlled workflow while important security-relevant pieces are unspecified or expected to be improvised manually.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The security note says the skill does not collect or transmit credentials, yet the setup explicitly requires providing API keys, bot tokens, and webhook endpoints to external automation platforms and services. This contradictory assurance can cause users to underestimate the risk of exposing secrets and task data to third parties.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation language is extremely broad, covering almost any task type and generic workflow setup, which increases the chance the skill is invoked in contexts far beyond what was narrowly reviewed. In a skill that can lead to shell use, external notifications, and git pushes, overbroad triggering expands the blast radius of accidental or inappropriate activation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow includes automatic git add/commit/push behavior without a prominent warning that local files may be modified and transmitted to a remote repository. In this skill's context, tasks can include research, content, code, or custom outputs, so an automatic push could exfiltrate sensitive or unintended material and create irreversible history.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The instructions store a Linear API key in a plaintext local env file without emphasizing sensitivity, file permissions, or safer secret-handling practices. While common in tutorials, this can lead to accidental disclosure through backups, permissive filesystem settings, shell history, or later git inclusion.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The webhook and Discord setup forwards task titles, identifiers, state, and potentially broader task content through third-party services without a clear disclosure of that data flow. Because this workflow is meant for arbitrary task types, users may unknowingly route sensitive work items through external processors and messaging platforms.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide instructs users to create and paste a Discord webhook URL, but it does not state that the webhook URL is effectively a secret bearer credential. If the URL is exposed in screenshots, docs, chat logs, repos, or tests, anyone who obtains it can post messages into the target channel, enabling spam, impersonation of automation, and possible social-engineering against downstream bots or operators.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide tells users to paste a Discord webhook URL or bot token into Zapier and later suggests testing the webhook with curl, but it never warns that these values are secrets. Discord webhook URLs and bot tokens grant message-sending capability and, if exposed in screenshots, shared docs, logs, or misconfigured zaps, can be abused to spam channels, impersonate automation, or trigger downstream agent workflows.

Credential Access

High
Category
Privilege Escalation
Content
set -e

# Load API key
if [ -f ~/.clawdbot/linear.env ]; then
  source ~/.clawdbot/linear.env
elif [ -n "$LINEAR_API_KEY" ]; then
  : # Already set
Confidence
92% confidence
Finding
.env

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.