Is linear-api safe?

https://clawhub.ai/byungkyu/linear-api

72
CAUTION

This skill is a documentation-only Linear API integration that routes all traffic through a third-party gateway (Maton). It contains no executable code, no install hooks, and no direct malicious behavior. However, the architectural choice to proxy all API calls and OAuth tokens through third-party infrastructure (gateway.maton.ai, ctrl.maton.ai) creates significant data exposure risk — the gateway operator has full visibility into all Linear data and holds user OAuth tokens. The cross-reference to another skill from the same author is a minor social engineering concern.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (8)

HIGH All traffic routed through third-party proxy gateway -25

Every API call goes to gateway.maton.ai instead of directly to api.linear.app. The Maton gateway acts as a full man-in-the-middle, receiving the user's API key and proxying all GraphQL queries and responses. This gives the gateway operator access to all Linear data including issues, projects, team members, emails, and organizational structure.

HIGH OAuth tokens managed by third-party infrastructure -10

The skill delegates OAuth token management entirely to Maton (ctrl.maton.ai). Users create, list, and delete OAuth connections through Maton's control plane. The user never sees or controls their own Linear OAuth token — Maton holds it and injects it server-side. This is a significant trust dependency.

MEDIUM Cross-skill reference encourages installing additional skills -15

The skill description explicitly references another skill by URL: 'For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway)'. This could prompt an agent to install additional skills from the same author, expanding the attack surface. This is a soft social engineering vector.

MEDIUM Inline code execution templates in skill documentation -15

The SKILL.md contains numerous python heredoc execution patterns (python <<'EOF'...) that an agent will use as templates. While these target legitimate endpoints, the pattern normalizes inline code execution via shell, which could be exploited if the gateway returned malicious instructions in error messages or responses.

LOW Skill requests broad environment variable access -5

The skill declares MATON_API_KEY as a required env var. While this is transparent, the agent will read and transmit this key on every API call to third-party infrastructure.

LOW Troubleshooting instructs agent to echo API key -5

The troubleshooting section includes 'echo $MATON_API_KEY' which, if followed by an agent, would print the API key to output where it could be logged or displayed to unintended recipients.

INFO Runtime reads sensitive files during install (not skill-caused) -10

The filesystem monitor captured reads of .env, .aws/credentials, .profile, and .bashrc during the install phase. These reads originate from the OpenClaw agent runtime initialization, not from the skill itself. No skill-triggered filesystem access was observed.

MEDIUM Third-party gateway creates organizational data exposure risk -50

If deployed in an organization, this skill gives Maton's infrastructure visibility into all Linear project management data — issue titles, descriptions, team structures, user emails, and workflow states. A breach of Maton's gateway would expose all connected organizations' Linear data. The trust model requires full confidence in Maton as an intermediary.