linear-sync

This SKILL.md is consistent with its stated purpose: synchronizing Linear data with PM workspace initiatives, generating reports, and optionally pushing initiative data to Linear. I found no evidence of obfuscated code, download-and-execute chains, credential harvesting, or network exfiltration to suspicious domains. The main risks are operational: the skill requires write access to local repository metadata and to Linear via MCP (especially with --push), and it depends on MCP connectors (a transitive trust boundary). Treat the MCP endpoints and credentials as sensitive — ensure least-privilege scopes, confirm push actions, and audit MCP logs. Overall, the skill appears benign but with moderate operational risk due to privileged actions it can perform.