Back to skill

Security audit

Linearis

Security checks across malware telemetry and agentic risk

Overview

This appears to be a straightforward Linear CLI helper, with expected token use and live Linear changes that users should handle carefully.

Install only if you trust the npm package and need an agent to operate on your Linear workspace. Treat the Linear API token as a secret, avoid passing it on command lines that may be logged, protect any token file, and require explicit approval before allowing create, update, delete, upload, or download commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs users to place a Linear API token in a shell command, environment variable, or CLI flag without any warning about secret handling. In an agent or shared-shell context, these methods can expose credentials via shell history, process listings, logs, or persisted environment capture, increasing the chance of token leakage.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill documents issue updates, comment creation, document creation/update/delete, and file upload/download operations with no warning that these commands modify or delete remote Linear data. In an autonomous-agent setting, this increases the risk of unintended state changes, destructive actions, or data loss if the agent invokes examples directly or with untrusted parameters.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.