Linear Webhooks (Verify, Replay, DLQ)
Pass
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: No security concerns identified. The skill correctly implements robust security protocols for its intended purpose, including cryptographic signature verification and idempotency.
- [PROMPT_INJECTION]: Evaluation of the indirect prompt injection surface (Category 8) inherent in webhook processing.
- Ingestion points: The skill is designed to receive and process JSON payloads from external Linear webhook deliveries.
- Boundary markers: Mandatory HMAC-SHA256 signature verification and a 5-minute timestamp validation window are specified to ensure data integrity and prevent replay attacks.
- Capability inventory: The skill configuration in
SKILL.mdpermits access to theBashtool. - Sanitization: The instructions implement security best practices, such as using
timingSafeEqualfor comparison and re-fetching authoritative data via GraphQL to verify the state of resources.
Audit Metadata