Linear (Official) — agentic threat model
The Linear MCP agent presents a moderate-to-high risk profile due to its write access (CRUD) to workspace data and susceptibility to indirect prompt injection via user-generated issue and comment text.
OWASP AIVSS score rationale
| Autonomy of Action | 0.60 | |
| Goal-Driven Planning | 0.30 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.40 | |
| Multi-Agent Interactions | 0.60 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The Linear MCP server acts as an interface and does not specify or bundle a specific foundation model, leaving model-level vulnerabilities dependent on the client LLM used.
The agent interacts directly with Linear workspace data. User-generated content within issues and comments acts as an active indirect prompt-injection surface, which could poison the context retrieved by the agent.
Exposes powerful CRUD tools for issues, projects, and comments. If an orchestrating framework blindly executes tool calls derived from injected instructions in issue descriptions, it could lead to unauthorized data modification or deletion.
Not certain from the listing — The deployment context (local node process, container, or cloud hosting) and its sandboxing controls depend entirely on how the host client runs this MCP server.
Not certain from the listing — There is no mention of built-in guardrails, input sanitization, or transaction logging to detect and prevent malicious tool execution or prompt injection attempts.
Employs OAuth authentication scoped to a specific workspace, which effectively restricts the agent's blast radius to authorized boundaries and enforces basic access control.
Designed specifically as an MCP tool for multi-agent or orchestrator integration. This introduces risks of cascading failures or trust abuse if parent agents execute actions on behalf of untrusted third parties.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).