registry  /  @cvr/linear  /  0.3.0

@cvr/linear@0.3.0

A command-line interface for [Linear](https://linear.app) built with Bun and Effect TypeScript.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Install-time compilation creates the package’s own CLI; runtime reads/saves the Linear credential only to service user-invoked Linear API commands.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall or explicit `linear` CLI command
Impact
Creates the CLI binary and, after interactive authentication, stores and uses a Linear API token locally.
Mechanism
Bun compilation plus user-authorized Linear SDK API access
Rationale
The lifecycle hooks and native executable are explained by a transparent Bun CLI build, while source inspection found no concrete malicious behavior. Credential and network access are package-aligned and activated through explicit authentication or CLI use.
Evidence
package.jsonsrc/services/Config.tssrc/services/Browser.tssrc/services/Linear.tssrc/commands/auth.tssrc/commands/api.tsbin/linearsrc/main.tsskills/linear/SKILL.md
Network endpoints2
linear.app/settings/account/securityapi.linear.app/graphql

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `package.json` runs `bun run build` in `postinstall`.
  • `package.json` `prepare` invokes `lefthook install`.
  • `src/services/Browser.ts` launches macOS `open` during interactive auth.
  • `src/services/Config.ts` stores a user-entered API key under `~/.config/linear/token`.
Evidence against
  • `postinstall` only compiles `src/main.ts` into the shipped CLI; no payload download or shell chain is present.
  • All source-side API actions use `@linear/sdk` after a user invokes CLI commands.
  • `BrowserService.open` receives only the fixed Linear security URL from `src/commands/auth.ts`.
  • No source use of exfiltration endpoints, dynamic code loading, VM/eval, destructive file operations, or AI-agent config paths was found.
  • `skills/linear/SKILL.md` instructs agents not to read tokens directly and requires explicit authorization for mutations.
  • `bin/linear` is a Bun-compiled ELF whose embedded Linear endpoint is `https://api.linear.app/graphql`.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
UrlStrings
Manifest
NoLicenseWildcardDependency
scanned 12 file(s), 52.7 KB of source, external domains: linear.app

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = bun run build
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bun run build
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/linearView file
path = bin/linear kind = native_binary sizeBytes = 98019456 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/linearView on unpkg

Findings

1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Native Binarybin/linear
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowUrl Strings
LowNo License