linear-mcp

An MCP server for interacting with Linear's API, providing tools for managing issues, projects, and teams

dvcrnapi-integrationTypeScript
GitHubnpm
0/100
Critical
0Tools
6Findings
Stars
Downloads
Mar 24, 2026Last Scanned

Score Breakdown5 categories

</>Code
100
Dependencies
85
Config
7
Description
100
Behavior
100

OWASP MCP Top 10 Coverage

MCP10-supply-chainMCP10-supply-chainFail
MCP02-tool-poisoningMCP02-tool-poisoningPass
MCP07-insecure-configMCP07-insecure-configFail
MCP08-dependency-vulnMCP08-dependency-vulnFail
MCP01-prompt-injectionMCP01-prompt-injectionPass
MCP03-command-injectionMCP03-command-injectionFail
MCP04-data-exfiltrationMCP04-data-exfiltrationPass
MCP09-logging-monitoringMCP09-logging-monitoringPass
MCP05-privilege-escalationMCP05-privilege-escalationFail
MCP06-excessive-permissionsMCP06-excessive-permissionsPass

Findings6

3critical
2high
0medium
1low
0informational
criticalJ2Git Argument InjectionMCP03-command-injectionAML.T0054
Pattern "--upload-pack|--receive-pack|--exec" matched in source_code: "--exec" (at position 3961)
Always terminate git argument lists with '--' before user-supplied paths. Never allow git_init on directories outside the configured workspace. Validate all git arguments against an allowlist. Block core.* config overrides in user-controlled inputs. See CVE-2025-68143/68144/68145 for the full attack chain.
criticalK14Agent Credential Propagation via Shared StateMCP05-privilege-escalationAML.T0054
Pattern "(process\.env|os\.environ|setenv|putenv).*(?:token|credential|api[_\s-]?key|secret|password)" matched in source_code: "process.env.LINEAR_ACCESS_TOKEN" (at position 1155)
Never write credentials to shared agent state. Use credential vaults (HashiCorp Vault, AWS Secrets Manager) with per-agent scoped access. Implement OAuth token exchange (RFC 8693) for cross-agent authorization. Redact credentials from all agent outputs before writing to shared memory. Required by OWASP ASI03/ASI07 and MAESTRO L7.
criticalQ13MCP Bridge Package Supply Chain AttackMCP10-supply-chainAML.T0054
Pattern "["']@modelcontextprotocol/sdk["']\s*:\s*["'](?:\^|~|\*|latest)" matched in source_code: ""@modelcontextprotocol/sdk": "^" (at position 4724)
MCP bridge packages (mcp-remote, mcp-proxy, @modelcontextprotocol/sdk, fastmcp) are high-value supply chain targets — CVE-2025-6514 (CVSS 9.6) in mcp-remote affected 437,000+ installs. Always pin exact versions (no ^ or ~ ranges). Use lockfiles (package-lock.json, pnpm-lock.yaml, uv.lock). Never run `npx mcp-remote` without version pinning. Verify package integrity with `npm audit` or `pip-audit` before deployment. Reference: CVE-2025-6514, OWASP ASI04.
highD1Known CVEs in DependenciesMCP08-dependency-vuln
Dependency "@modelcontextprotocol/sdk@1.4.0" has known CVEs:
Update dependencies to versions that patch known CVEs. Run 'npm audit fix' or 'pip-audit' to identify and resolve vulnerable dependencies.
highK16Unbounded Recursion / Missing Depth LimitsMCP07-insecure-configAML.T0054
Pattern "(invoke|call|execute)[_\s-]?(?:tool|agent|self)(?!.*(?:depth|level|limit|max[_\s-]?(?:depth|recursi|iter|call)|count))" matched in source_code: "CallTool" (at position 212)
Add explicit depth/recursion limits to all recursive operations. Use iterative approaches where possible. Set maximum depth for directory walking (max_depth=10), tree traversal (max_level=20), and agent re-invocation (max_calls=5). Implement circuit breakers that halt after N iterations. Required by EU AI Act Art. 15 (robustness) and OWASP ASI08.
lowF4MCP Spec Non-ComplianceMCP07-insecure-config
Server fails MCP spec compliance checks: required:server_name; required:server_version; required:protocol_version; recommended:tool_descriptions; recommended:parameter_descriptions
Follow the MCP specification for server metadata. Include server name, version, and protocol version. Provide descriptions for all tools and parameters.

Security Category Deep Dive

Sub-Category Tree · Remediation Roadmap · Attack Stories · Compliance Overlay · ATLAS Techniques · Maturity Model

Prompt Injection
Prompt & context manipulation attacks
69
MATURITY
14
RULES
5
SUB-CATS
1
GAPS
64%
IMPL.
56
TESTS
1
STORIES
PI-DIRDirect Input Injection
100%3 rules
Injection via tool descriptions and parameter fields
GAP-001Prompt Injection Coverage GapMissing detection coverage for emerging prompt injection attack variants not addressed by current rules
PI-INDIndirect / Gateway Injection
100%4 rules
Hidden instructions via external content and tool responses
PI-CTXContext Manipulation
100%2 rules
Context window saturation and prior-approval exploitation
PI-ENCEncoding & Obfuscation
100%3 rules
Payload hiding via invisible chars, base64, schema fields
PI-TPLTemplate & Output Poisoning
100%2 rules
Injection via prompt templates and runtime tool output
Framework Coverage
OWASP MCP Top 1014/14
MITRE ATLAS14/14
CoSAI MCP2/14
OWASP Agentic Top 1012/14
Kill Chain Phases
0Initial Access
0Defense Evasion
0Execution
0Persistence