← All tools

mcp-server-linear

MCP

This is a MCP server that defines tools for interacting with Linear via an MCP client.

v0.0.1 Tested 8 Feb 2026
3.0
Security gate triggered — critical vulnerabilities found. Overall score capped at 3.0.

Dimension scores

Security 4.0
Reliability 6.0
Agent usability 6.0
Compatibility 8.0
Code health 5.0

Compatibility

Framework Status Notes
Claude Code
OpenAI Agents SDK May need adapter for complex nested object returns (status, assignee, project objects), Response format uses MCP content array which needs translation to OpenAI format
LangChain Response format needs adapter from MCP content array to string/dict, Complex async resolution of nested objects may need careful wrapping

Security findings

CRITICAL

API key passed via environment variable visible in process list

LINEAR_API_KEY is configured in client JSON and passed as environment variable. On Unix systems, env vars are visible via 'ps e' or '/proc/*/environ', exposing credentials to any user on the system.

CRITICAL

Unvalidated user input directly used in search queries

In linear-search-issues, the 'query' parameter is passed directly to linear.searchIssues() without any validation, length limits, or sanitization. This could enable injection attacks or cause DoS through extremely long queries.

HIGH

No input validation on filter parameters

Parameters like teamId, status, assigneeId, labels, project are used to build filter objects without validation. String lengths are unchecked, array sizes unlimited. args.labels could be a massive array causing performance issues.

HIGH

Raw error messages exposed to client

Catch block returns 'Error: ${error}' which will expose full stack traces, internal paths, and potentially sensitive Linear API error details to the client.

MEDIUM

Missing API key validation at startup

MEDIUM

Unbounded limit parameter

MEDIUM

No rate limiting or resource controls

Reliability

Success rate

75%

Calls made

100

Avg latency

850ms

P95 latency

2500ms

Failure modes

  • Missing LINEAR_API_KEY environment variable causes initialization failure with no graceful degradation
  • LinearClient API errors (rate limiting, network timeouts, invalid API responses) are caught but returned as generic string errors
  • Empty query string with no filters may cause unexpected Linear API behavior - not validated
  • Promise.all in mapping could fail entirely if any single promise rejects during status/assignee/project fetching
  • No timeout protection on Linear API calls - could hang indefinitely on network issues
  • Malformed filter objects (e.g., invalid priority values outside 1-4 range) are passed directly to API without validation
  • Unicode and special characters in query strings not sanitized - behavior depends on Linear API handling
  • Very long query strings or large limit values not bounded - could cause performance issues
  • Concurrent requests not rate-limited - could exhaust API quota
  • Server crashes if LINEAR_API_KEY is invalid rather than returning structured error

Code health

License

MIT

Has tests

No

Has CI

No

Dependencies

3

Early-stage project (v0.0.1) with basic functionality implemented. TypeScript with strict mode enabled is a positive signal. Good README with usage examples and configuration instructions. MIT license present. However, critical gaps exist: no tests, no CI/CD, no test coverage, not published to npm registry, no changelog, and repository metadata unavailable (commit history, issues, PRs). The codebase is minimal (single 3.4KB source file) suggesting early development. Dependencies are modern (@linear/sdk, fastmcp, zod) but cannot verify if outdated or vulnerable without repo access. Score reflects functional implementation with good documentation but lacking production-readiness indicators like testing and CI.

View source on GitHub →