MCPVet
Low
github · 103 files analyzed
tacticlaunch/mcp-linear
Minor capabilities, nothing alarming.
View source ↗Environment variables (config / keys) 3
Install-time scripts 1
AI review
No real safety risks found. The extension is a standard MCP server for Linear that reads API tokens from environment variables (standard practice), and the agent instructions are well-scoped development workflow guides with no hidden instructions, prompt injection, or data exfiltration attempts.
Model: deepseek-chat
Static findings
Install-time scripts · Runs scripts on install (postinstall/preinstall)
medium
package.json:28
"postinstall": "node -e \"try { require('fs').chmodSync('./dist/index.js', '755') } catch (e) {}\""
Environment variables (config / keys) · Reads environment variables (config / API keys)
low
scripts/mcp-smoke-test.mjs:27
...process.env,
info
src/__tests__/config.test.ts:5
const originalEnv = process.env;
low
src/utils/config.ts:33
const tokenFromEnv = process.env.LINEAR_API_TOKEN || process.env.LINEAR_API_KEY;
Scanning every extension your team installs?
Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.
MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.