Linear MCP Server — agentic threat model
The Linear MCP Server exposes read/write access to project management data, presenting moderate risk of unauthorized ticket modification or data exfiltration if untrusted issue content is processed by an LLM without strict input sanitization.
OWASP AIVSS score rationale
| Autonomy of Action | 0.60 | |
| Goal-Driven Planning | 0.40 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.50 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The Linear MCP Server is model-agnostic; however, the model calling this server is susceptible to prompt injection via untrusted issue descriptions or comments stored in Linear.
Data operations involve reading and writing issues, projects, and workflows. Untrusted user-editable ticket content acts as a vector for data poisoning or indirect prompt injection.
The MCP framework orchestrates tool execution. Insecure tool integration could allow an LLM to execute unintended write actions (e.g., deleting projects or modifying critical workflows) if tool parameters are not strictly validated.
Not certain from the listing — The deployment environment must securely manage Linear API tokens and restrict network access, but specific sandboxing or hosting details are not provided in the directory listing.
Not certain from the listing — There is no mention of built-in logging, guardrails, or observability tools to monitor and audit the actions performed by the agent on the Linear workspace.
The agent relies on Linear's API authentication. Access control is critical; if the API token has broad write permissions, the agent inherits those privileges, risking unauthorized modifications across the workspace.
As an MCP server, this tool is designed to be called by other agents or host applications, introducing risks of cascading failures or unauthorized tool execution in multi-agent environments.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).