linear-cli

[Skill Scanner] Natural language instruction to download and install from URL detected This skill file is a benign-looking instruction document for using a Linear CLI. Its declared capabilities (reading VCS metadata, using an API key, creating config files) align with the stated purpose. The main security concern is supply-chain trust for the installer sources: the Homebrew tap and Deno namespace referenced are third-party (schpet) rather than an explicitly verified official Linear distribution, which raises a moderate supply-chain risk if users install binaries from those sources. No direct malicious code or data-exfiltration instructions are present in the skill itself. LLM verification: SKILL.md itself is benign documentation and does not contain overt malicious code or obfuscation. However, it recommends installing and running third-party code from non-official distribution namespaces (Homebrew schpet/tap, Deno jsr:@schpet) and demonstrates a Deno install with -A (allow-all). These instructions create a realistic supply-chain and credential-exfiltration risk: a compromised or malicious package could read the LINEAR_API_KEY and other local data and exfiltrate it. Recommendation