Linear Webhooks (Verify, Replay, DLQ)

Pass

Audited by Gen Agent Trust Hub on Jun 19, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [SAFE]: No security concerns identified. The skill correctly implements robust security protocols for its intended purpose, including cryptographic signature verification and idempotency.
  • [PROMPT_INJECTION]: Evaluation of the indirect prompt injection surface (Category 8) inherent in webhook processing.
  • Ingestion points: The skill is designed to receive and process JSON payloads from external Linear webhook deliveries.
  • Boundary markers: Mandatory HMAC-SHA256 signature verification and a 5-minute timestamp validation window are specified to ensure data integrity and prevent replay attacks.
  • Capability inventory: The skill configuration in SKILL.md permits access to the Bash tool.
  • Sanitization: The instructions implement security best practices, such as using timingSafeEqual for comparison and re-fetching authoritative data via GraphQL to verify the state of resources.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 19, 2026, 12:25 AM
Security Audit — agent-trust-hub — Linear Webhooks (Verify, Replay, DLQ)