Back to skill
Skillv1.0.0
VirusTotal security
Linear Webhook · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:09 AM
- Hash
- 90efaf39c8bda27a2f41ec739575e24554312def6ba8b8b9d81abaa6683980d1
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: linear-webhook Version: 1.0.0 The skill is classified as suspicious due to its high susceptibility to prompt injection, which could lead to unauthorized command execution and data exfiltration. Specifically, the `linear-transform.js` file constructs a task message for the AI agent that includes a 'MANDATORY' instruction to execute a shell command: `LINEAR_API_KEY=$(cat ~/.linear_api_key) node -e "..."`. This command reads a sensitive API key directly from a file (`~/.linear_api_key`) and executes Node.js code. While intended for the benign purpose of posting agent responses back to Linear, this mechanism provides a direct avenue for an attacker to inject malicious commands into the agent's response, potentially leading to arbitrary code execution or exfiltration of sensitive data beyond the Linear API key.
- External report
- View on VirusTotal