pp-linear

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to ask the user for their Linear API key and to insert it into a command-line invocation (e.g., claude mcp add -e LINEAR_API_KEY=lin_api_...), which requires the LLM to handle and embed the secret verbatim in its output — a direct exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). This skill relies on runtime installation of remote code (e.g., via "npx -y @mvanhorn/printing-press install linear cli-only" and "go install github.com/mvanhorn/printing-press-library/library/project-management/linear/cmd/linear-pp-cli@latest"), which fetches and executes third‑party code and thus constitutes a high-confidence external runtime dependency.