Trust Assessment
linear-autopilot received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 2 critical, 8 high, 0 medium, and 0 low severity. Key findings include Sensitive path access: AI agent config, Shell command injection via unsanitized arguments in linear-api.sh, Unsanitized input in agent-executed git commands.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Shell command injection via unsanitized arguments in linear-api.sh The `scripts/linear-api.sh` script constructs shell commands by directly interpolating user-controlled input (`task_id`, `identifier`, and `comment`) into the arguments passed to the `graphql` function. Since the entire GraphQL query string is passed as a single argument to `graphql` (e.g., `graphql "mutation { ... \"$task_id\" ... }"`), any shell metacharacters (like `$(command)` or backticks) present in `task_id`, `identifier`, or `comment` will be executed by the shell *before* the `graphql` function is invoked. This allows for arbitrary command execution on the host system. The `add_comment` function's `sed` escaping for double quotes and newlines is insufficient to prevent this type of shell injection. 1. **Prevent Shell Expansion in Arguments:** When calling the `graphql` function, ensure that the arguments are passed in a way that prevents shell expansion. This can be done by using `printf %q` to quote the arguments for the shell, or by constructing the command in a way that avoids direct shell interpolation of user-controlled data. 2. **Use Safe Command Execution:** A more robust solution is to rewrite the script in a language that offers safer ways to execute external commands (e.g., Python's `subprocess` module with `shell=False`) or to use a dedicated GraphQL client library. 3. **Strict Input Validation:** Validate `task_id` and `identifier` to ensure they conform to expected formats (e.g., UUIDs, alphanumeric identifiers) and do not contain any shell metacharacters. For `comment`, implement comprehensive escaping for both shell and GraphQL contexts, or strictly limit allowed characters. | LLM | scripts/linear-api.sh:40 | |
| CRITICAL | Unsanitized input in agent-executed git commands The skill's workflow explicitly instructs the AI agent to execute `git add`, `git commit`, and `git push` commands using values (`[output files]`, `[ID]`, `[title]`) derived from task details. These task details can originate from untrusted sources (e.g., Linear task titles or descriptions created by any user). Without rigorous sanitization and validation of these inputs before constructing the shell commands, a malicious input could lead to arbitrary command execution (e.g., `git add "file.txt; rm -rf /"` or `git commit -m "task: 123" -m "$(malicious_command)"`). This also poses a significant data exfiltration risk if `[output files]` is manipulated to include sensitive files from the agent's filesystem in the git repository. 1. **Strict Input Validation and Sanitization:** All variables derived from untrusted sources (`[output files]`, `[ID]`, `[title]`) must be strictly validated and sanitized before being used in shell commands. For file paths, ensure they are canonicalized, within allowed directories, and do not contain path traversal sequences or shell metacharacters. For IDs and titles, escape all shell metacharacters or restrict them to a safe character set. 2. **Use Safe Command Execution Methods:** When executing shell commands, use methods that pass arguments as a list (e.g., `subprocess.run(['git', 'add', filename])` in Python) to prevent shell interpretation of arguments. If direct shell execution is unavoidable, ensure all user-controlled variables are properly quoted and escaped (e.g., `git add "$filename"`). 3. **Isolate Execution Environment:** Run the agent in a sandboxed environment with minimal filesystem access and network permissions to limit the impact of any successful command injection. | LLM | SKILL.md:129 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/vincentchan/linear-autopilot/SKILL.md:33 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/vincentchan/linear-autopilot/SKILL.md:47 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/vincentchan/linear-autopilot/SKILL.md:198 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/vincentchan/linear-autopilot/scripts/linear-api.sh:8 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/vincentchan/linear-autopilot/scripts/linear-api.sh:9 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/vincentchan/linear-autopilot/scripts/linear-api.sh:14 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/vincentchan/linear-autopilot/scripts/linear-api.sh:19 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/vincentchan/linear-autopilot/scripts/linear-api.sh:119 |
Scan History
Embed Code
[](https://skillshield.io/report/93fb78ebed690b0e)
Powered by SkillShield