linear
Fail
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The
gqlfunction inscripts/linear.shconstructs acurlcommand using double quotes for the data payload (-d "{\"query\": \"$query\"}"). This configuration allows the shell to perform variable expansion and subshell execution (e.g.,$(...)or backticks) on the contents of the$queryvariable. Because this variable includes unvalidated user-supplied strings like ticket titles and comments, an attacker could trigger arbitrary command execution on the agent's host system by including shell metacharacters in Linear data. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to the way it retrieves and displays data from external sources.
- Ingestion points: Ticket descriptions (via the
issuecommand) and Notion research pages (vianotion-searchandnotion-fetch). - Boundary markers: The skill does not define delimiters or protective instructions to separate fetched content from the agent's system prompt or current task instructions.
- Capability inventory: The agent can execute the
linear.shscript (which has network and file access) and usecurlto download files to/tmp. - Sanitization: While the script attempts to escape double quotes, it does not sanitize against shell command expansion sequences.
- [EXTERNAL_DOWNLOADS]: The skill provides guidelines for the agent to download image assets from Linear's official infrastructure (
uploads.linear.app) usingcurl. This is a standard operation using a well-known service associated with the skill's functionality.
Recommendations
- AI detected serious security threats
Audit Metadata