Back to skill

Security audit

Linear Webhook

Security checks across malware telemetry and agentic risk

Overview

This Linear integration has a coherent purpose, but it gives webhook-triggered agent workflows unsafe local credential and posting authority that should be reviewed before use.

Install only if you are comfortable letting Linear comments trigger local agents and potentially post back to Linear with configured write credentials. Use a dedicated least-privilege Linear bot token, remove the mandatory shell command from agent prompts, validate helper-script inputs, decide whether @forge should exist, and avoid routing confidential Linear issues unless agent sessions, logs, and any forwarding destinations are approved for that data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documentation describes a webhook integration that uses network access, environment variables, and shell commands, but it does not declare those capabilities explicitly. This creates a security transparency problem: operators may enable a skill without realizing it can access secrets, invoke local commands, and expose a public endpoint, which increases the risk of misuse and weak review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose is limited to routing Linear mentions, but the referenced behavior expands into posting back to Linear, reading credentials from local files and environment variables, using extra agent mappings, and executing CLI commands to gather session history. That mismatch is dangerous because reviewers may approve a seemingly simple router while it actually has broader data access, external side effects, and local execution capabilities that can expose secrets or leak internal context.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The transform injects operational instructions into the agent task telling it to execute a shell command that reads a local secret file (~/.linear_api_key) and posts data externally. Because comment and issue content are attacker-controlled via the webhook, this turns untrusted input into a prompt that encourages credential access and command execution outside the skill's stated routing purpose.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill reads OAuth tokens and a personal API key from local files/environment, adding credential-access capability unrelated to simple webhook transformation. In the context of an agent skill that processes untrusted webhook comments, embedding secret-reading behavior expands blast radius if the skill is misused or chained with prompt-injection behavior.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill description says it only receives and routes comments, but the implementation can also post responses back to Linear via GraphQL using stored credentials. This hidden write capability increases risk because operators may enable the skill expecting passive routing, while it actually performs authenticated external actions on attacker-triggerable events.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code builds a shell command with untrusted input via string interpolation: `clawdbot sessions history ${sessionKey} --json`. If an attacker can influence `sessionKey`, they may inject shell metacharacters and execute arbitrary commands on the host running this script, which is especially risky in an automation or cron context.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly states that agents receive full issue context, including descriptions, labels, assignee, comment text, and URLs, but it does not warn users that commenting with an agent mention may cause this data to be transmitted to an automated system. In a webhook-to-agent integration, this can lead to unintended disclosure of potentially sensitive project or personal information to downstream agents or external systems without informed consent or data-minimization controls.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill sends issue titles, descriptions, labels, URLs, comment text, and commenter names from Linear through a publicly exposed webhook into downstream agent sessions, but the documentation does not present this as a clear user-facing data-sharing warning. That omission can lead to accidental transmission of sensitive project or personal information to systems and agents that users did not realize were in the processing path.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The generated task instructions conceal a sensitive side effect: they tell the agent to read credentials from disk and send a response to Linear, but do not meaningfully surface this as a security-sensitive action requiring separate approval. In an agent context, such hidden operational steps increase the chance that untrusted comment content can induce unintended secret use and external posting.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This function reads API credentials from environment/files and transmits data to Linear without clear user-facing disclosure or approval boundaries. Because the skill handles untrusted webhook-originated content, undisclosed credentialed network actions materially raise the risk of prompt-driven data exfiltration or unauthorized writes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script takes agent output derived from session history and posts it to Linear without any content review, minimization, or explicit consent boundary. If agent responses contain sensitive data, hidden prompts, internal reasoning, secrets, or data copied from other contexts, this creates an unintended data exfiltration path to an external SaaS system.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script accesses a sensitive credential from ~/.linear_api_key without any user-facing disclosure, consent prompt, or visible indication in the workflow. In an agent skill context, undisclosed secret access is risky because users may invoke the tool expecting comment routing, not local secret consumption, and this can normalize hidden credential use.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script performs an outbound action to Linear by invoking Node code that posts a comment, but there is no visible warning, confirmation, or audit-friendly notice to the user. In a webhook/agent setting, silent external posting can cause unintended data disclosure if RESPONSE contains sensitive content or if the script is triggered with untrusted input.

External Transmission

Medium
Category
Data Exfiltration
Content
`;

  try {
    const response = await fetch('https://api.linear.app/graphql', {
      method: 'POST',
      headers: {
        'Authorization': apiKey,
Confidence
91% confidence
Finding
fetch('https://api.linear.app/graphql', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
`;

  try {
    const response = await fetch('https://api.linear.app/graphql', {
      method: 'POST',
      headers: {
        'Authorization': apiKey,
Confidence
91% confidence
Finding
https://api.linear.app/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.potential_exfiltration

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
linear-transform.js:176

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
linear-transform.js:178