ClawHub

Linear Webhook

Security checks across malware telemetry and agentic risk

Overview

The skill has a coherent Linear webhook purpose, but it gives agent-triggered workflows unsafe local command and credential-based posting authority that users should review before installing.

Install only if you are comfortable letting authenticated Linear comments dispatch local agents and potentially post back to Linear with your configured write credentials. Use a dedicated least-privilege Linear bot token, remove or replace the mandatory shell command in the generated prompt, sanitize helper-script inputs, document whether @forge should be enabled, and avoid routing confidential Linear issues unless your agent logs, sessions, and optional Telegram forwarding are approved for that data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The function documentation says comments are posted using each agent's OAuth token, but the implementation actually falls back to and prefers a locally stored personal Linear API key. This creates an authority and attribution mismatch: any agent-triggered action is effectively executed with the broader privileges of the operator's personal account, which can bypass intended scoping, auditing, and least-privilege controls.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly states that agents receive full issue context, including descriptions, labels, assignee details, comment text, and issue URLs, but does not warn that this may include sensitive business or personal data. In a webhook-driven agent workflow, this omission can lead operators to forward confidential ticket contents to automated systems or downstream services without informed consent, data minimization, or policy review.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill sends Linear comments and issue context to agent infrastructure and documents an option to forward responses to Telegram, but it does not clearly warn users that issue content may leave the original system boundary. This is dangerous because users may mention agents in issues containing confidential project, customer, or security information without informed consent about third-party transmission and onward sharing.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The generated task message explicitly instructs the receiving agent to execute a shell command that reads a local secret file (`~/.linear_api_key`) and uses it to post data externally. Because this instruction is embedded in untrusted webhook-derived content, it creates a prompt/command-injection path where external users can cause an agent to access local credentials and perform privileged actions without a separate trust boundary or consent step.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script interpolates the user-controlled sessionKey directly into a shell command passed to exec(), which can lead to command injection if an attacker can influence the CLI argument. In this skill context, session identifiers may originate from external workflow inputs, making arbitrary command execution on the host a serious risk.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The script accesses a sensitive credential from ~/.linear_api_key without any prompt, warning, or visible disclosure to the user. In an agent-skill context, implicit credential use can surprise users and broaden the trust boundary, especially if the skill is invoked automatically or by webhook-triggered workflows.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script forwards arbitrary response text to Linear over the network without any user-facing notice or confirmation. In this skill's context, that means comments or generated content may be transmitted externally whenever the script runs, which can leak sensitive data if upstream inputs are not carefully controlled.

Ssd 3

Medium
Confidence
94% confidence
Finding
The task message forwards full issue descriptions and comment bodies into the agent prompt and couples that with instructions for posting responses back to an external service. In this webhook-routing context, untrusted user content can shape agent behavior and induce disclosure or reproduction of sensitive issue data, increasing the risk of prompt injection, over-sharing, and unintended propagation of private project information.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal