Security risk report for @forgecat/openai_skills_linear v0.0.10
Source Integrity
Low
Profile is sourced from OpenAI's official skills repository (github.com/openai/skills), a trusted upstream.
Metadata clearly attributes authorship and provides commit hash for supply-chain traceability.
Agent Intent
Low
Content describes legitimate Linear project-management workflows (sprint planning, bug triage, documentation audit) with no instructions to manipulate the AI, exfiltrate data, or bypass security controls.
Skill documentation is instructional but confined to Linear API operations; no prompt injection, system-prompt leakage, or guidance poisoning detected.
MCP setup instructions (Step 0) are standard configuration guidance, not malicious payload injection.
Details
Evidence
"Follow these steps in order. Do not skip steps." — procedural workflow, not agent hijacking.
"Clarify the user's goal and scope... Confirm team/project, priority, labels, cycle, and due dates as needed." — legitimate task clarification.
Tool list (list_issues, create_issue, update_issue, etc.) aligns with stated Linear management purpose.
Permissions
PRM-000Medium
The skill instructs the agent to add and configure an MCP server at runtime (`codex mcp add`, `codex mcp login`), which is a self-expanding authority pattern slightly beyond pure issue management.
The WSL/JSON fallback config block allows the agent to invoke `wsl` and `npx` subprocesses, introducing a limited shell-execution surface not strictly necessary for reading/writing Linear tickets.
Overall scope is still largely consistent with the stated purpose (Linear issue management), so this does not rise to danger.
Details
Evidence
'codex mcp add linear --url https://mcp.linear.app/mcp'
The MCP server points to `https://mcp.linear.app/mcp`, which is Linear's official hosted endpoint — a known, legitimate service rather than an arbitrary or attacker-controlled host.
External network access is required for every tool call, meaning the agent will continuously send workspace data (issue titles, descriptions, user names) to an external host, which warrants awareness.
No hidden instructions are embedded in tool descriptions, and no unrestricted filesystem or arbitrary binary execution is defined in the MCP server config itself.
Details
Evidence
"url": "https://mcp.linear.app/mcp"
Skill lists tools such as `list_issues`, `create_issue`, `list_users` — all routed through this external endpoint