linear-cli
Warn
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill instructs the user to install the
linear-clitool from an untrusted GitHub tap (schpet/tap/linear) and a JSR package (@schpet/linear-cli). Thedeno install -Acommand is particularly high-risk as it grants the installed binary full access to the network, file system, and environment. - [COMMAND_EXECUTION] (LOW): The skill executes a variety of commands that interact with the local file system and version control systems (Git and Jujutsu). This includes creating Pull Requests and modifying issue statuses based on local branch names.
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection because it processes untrusted data from an external platform.
- Ingestion points: Data enters the context via
linear issue view,linear issue list, andlinear issue comment list, as well as local file reads via--content-file. - Boundary markers: Absent. There are no instructions to the agent to treat data from Linear as untrusted.
- Capability inventory: The skill can execute commands that modify external state, such as
linear issue pr(creating GitHub PRs) andlinear issue delete. - Sanitization: Absent. Issue content is interpolated directly into terminal output and command operations.
- [CREDENTIALS_UNSAFE] (LOW): The documentation suggests storing the
LINEAR_API_KEYin shell profiles (~/.bashrc,~/.zshrc). While a standard practice for CLI tools, this exposes the credential to any process capable of reading those files.
Audit Metadata