linear-security-basics
Provides best practices for secure API key management and OAuth implementation for Linear integrations.
Install this skill
Security score
The linear-security-basics skill was audited on Feb 28, 2026 and we found 32 security issues across 3 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Fetch to external URL
| 120 | const response = await fetch("https://api.linear.app/oauth/token", { |
Fetch to external URL
| 152 | const response = await fetch("https://api.linear.app/oauth/token", { |
Webhook reference - potential data exfiltration
| 178 | ### Step 4: Webhook Signature Verification |
Webhook reference - potential data exfiltration
| 182 | function verifyWebhookSignature( |
Webhook reference - potential data exfiltration
| 200 | app.post("/webhooks/linear", express.raw({ type: "*/*" }), (req, res) => { |
Webhook reference - potential data exfiltration
| 204 | if (!verifyWebhookSignature(payload, signature, process.env.LINEAR_WEBHOOK_SECRET!)) { |
Webhook reference - potential data exfiltration
| 209 | // Process verified webhook... |
Webhook reference - potential data exfiltration
| 242 | - [ ] Webhook signatures verified |
Webhook reference - potential data exfiltration
| 250 | | `Invalid signature` | Webhook secret mismatch | Verify secret matches Linear settings | |
Webhook reference - potential data exfiltration
| 256 | - [Webhook Security](https://developers.linear.app/docs/graphql/webhooks) |
Access to .env file
| 38 | apiKey: process.env.LINEAR_API_KEY! |
Access to .env file
| 44 | # .env (never commit this file) |
Access to .env file
| 48 | .env |
Access to .env file
| 49 | .env.* |
Access to .env file
| 50 | !.env.example |
Access to .env file
| 52 | # .env.example (commit this for documentation) |
Access to .env file
| 60 | const apiKey = process.env.LINEAR_API_KEY; |
Access to .env file
| 89 | clientId: process.env.LINEAR_CLIENT_ID!, |
Access to .env file
| 90 | clientSecret: process.env.LINEAR_CLIENT_SECRET!, |
Access to .env file
| 91 | redirectUri: process.env.LINEAR_REDIRECT_URI!, |
Access to .env file
| 158 | client_id: process.env.LINEAR_CLIENT_ID!, |
Access to .env file
| 159 | client_secret: process.env.LINEAR_CLIENT_SECRET!, |
Access to .env file
| 204 | if (!verifyWebhookSignature(payload, signature, process.env.LINEAR_WEBHOOK_SECRET!)) { |
Access to .env file
| 218 | process.env.LINEAR_API_KEY_NEW, |
Access to .env file
| 219 | process.env.LINEAR_API_KEY_OLD, |
Access to .env file
| 238 | - [ ] .env files in .gitignore |
External URL reference
| 100 | const authUrl = new URL("https://linear.app/oauth/authorize"); |
External URL reference
| 120 | const response = await fetch("https://api.linear.app/oauth/token", { |
External URL reference
| 152 | const response = await fetch("https://api.linear.app/oauth/token", { |
External URL reference
| 255 | - [Linear OAuth Documentation](https://developers.linear.app/docs/oauth) |
External URL reference
| 256 | - [Webhook Security](https://developers.linear.app/docs/graphql/webhooks) |
External URL reference
| 257 | - [API Authentication](https://developers.linear.app/docs/graphql/authentication) |