linear
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill communicates with the official Linear API at https://api.linear.app/graphql. This is a well-known service and is necessary for the skill's primary function of managing issues.
- [CREDENTIALS_UNSAFE]: Linear API keys are managed via a local config.json file. The script supports referencing environment variables (e.g., using $LINEAR_API_KEY) which is the recommended secure approach to avoid storing secrets in plain text.
- [PROMPT_INJECTION]: The skill processes user-supplied text for titles and comments. This creates a surface for indirect prompt injection where malicious instructions could be embedded in data processed by the agent. 1. Ingestion points: Command-line arguments in scripts/linear-issue.ts. 2. Boundary markers: None. 3. Capability inventory: Network access to Linear API and file-system write for config. 4. Sanitization: Standard JSON serialization for API requests.
Audit Metadata