Linear
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads the official
@linear/sdkand other development dependencies from the NPM registry. It communicates exclusively with official Linear service domains (api.linear.appand Linear-managed S3 storage) for its core functionality. - [COMMAND_EXECUTION]: Provides several automation scripts (
scripts/linear-ops.ts,scripts/sync.ts, etc.) for managing workflows. These scripts perform local tasks such as validating configuration, extracting images from session logs, and coordinating API calls. A shell hook (hooks/post-edit.sh) is provided to assist users by detecting issue references in modified code. - [CREDENTIALS_UNSAFE]: While the skill requires a
LINEAR_API_KEY, it implements robust protection patterns. Documentation and setup scripts (scripts/setup.ts) guide the user to provide the key via environment variables, and multiple warnings in theSKILL.mdandREADME.mdinstruct the agent and user never to expose the key in logs or chat history. - [DATA_EXFILTRATION]: No evidence of unauthorized data exfiltration. Network operations are directed towards Linear's official GraphQL API for the purpose of project management as requested by the user.
- [SAFE]: The skill demonstrates high-quality security practices, including input serialization for GraphQL queries and a clear separation between sensitive credentials and terminal output.
Audit Metadata