Skills
skills/tsubasahonda/skills/linear-curl-issue-ops/Gen Agent Trust Hub

linear-curl-issue-ops

Fail

Audited by Gen Agent Trust Hub on Mar 12, 2026

Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses security find-generic-password and security add-generic-password to interact with the local macOS Keychain via shell scripts. It also uses curl to send data to external APIs and jq for JSON processing.
  • [CREDENTIALS_UNSAFE]: The skill is designed to retrieve a secret (linear-api-key) from the macOS Keychain and store it in an environment variable (LINEAR_API_KEY). This allows the agent to access sensitive persistent credentials stored on the host system.
  • [COMMAND_EXECUTION]: In scripts/create_issues_from_json.sh, variables like title and description are extracted from a JSON file and passed into shell variables. While jq is used for construction, the shell loop and redirection patterns create a surface area for injection if the input JSON is maliciously crafted.
  • [DATA_EXFILTRATION]: The script scripts/linear_graphql.sh sends the retrieved API key in an Authorization header to https://api.linear.app/graphql. While this is the intended destination, the mechanism for automated credential retrieval from the system keychain is a high-privilege operation.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 12, 2026, 10:29 AM