linear-sync
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local scripts such as
linear-api.shandsync-github-issues.sh, along with standard CLI tools likegitandgh. It references a PreToolUse hook designed to auto-approve specific Bash command patterns, which reduces manual verification of executed operations. - [COMMAND_EXECUTION]: Shell commands are dynamically assembled at runtime. GraphQL queries and mutations are constructed using
printfand string interpolation of variables that may contain data fetched from external sources. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted data from Linear issue titles, descriptions, and git commit logs to draft PR bodies and issue comments.
- Ingestion points: Data enters the context via
[LINEAR-DIGEST]hook context, Linear API responses, andgit logoutput. - Boundary markers: No specific delimiters or instructions are used to isolate untrusted data when it is interpolated into prompts or PR templates.
- Capability inventory: The skill can execute subprocesses via
bash linear-api.shand perform file writes to~/.claude/linear-sync/state.jsonand.claude/linear-sync.json. - Sanitization: While the skill uses
printffor query structure, there is no evidence of sanitization or escaping for the natural language content extracted from issues or logs before it is processed by the agent.
Audit Metadata