composio-linear

Functionally, the package/documentation is a connector that proxies Linear operations through Composio's backend and matches its stated purpose. The primary security concerns are not code-level malware but operational: forwarding of API keys/connection IDs to a third-party, lack of documented storage/retention/audit controls, and the potential for over-broad permissions (custom GraphQL and action execution). No direct evidence of malicious code, remote code execution, or obfuscation exists in the provided fragment. Recommended actions: (1) Treat Composio as a high-trust third party and validate their security/privacy practices (encryption, key rotation, RBAC, logging/retention). (2) Use least-privilege tokens/scopes for COMPOSIO_API_KEY and connected accounts; prefer time-limited credentials. (3) Avoid exposing secrets in shell history or shared logs; use secret managers or CI encrypted variables. (4) If sensitive data must be protected, consider calling Linear's API directly or deploying a self-hosted proxy under your control.