registry  /  usrcp-linear  /  0.2.1

usrcp-linear@0.2.1

Linear capture adapter for USRCP — polls Linear's GraphQL API for issues and comments authored by the configured user, and appends them to the local ledger

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Linear-to-USRCP capture adapter; risky primitives are either install-time better-sqlite3 rebuild cleanup or user-invoked adapter setup/runtime polling.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install postinstall, or user running usrcp-linear / usrcp-linear --reset-config
Impact
Expected local config/ledger updates and Linear API reads; no confirmed exfiltration or destructive behavior beyond scoped native rebuild cleanup.
Mechanism
Linear API polling and local ledger append with package-aligned config
Rationale
Static inspection found a lifecycle script, child_process use, env access, and Linear SDK network use, but each is consistent with the package’s documented adapter behavior and lacks concrete exfiltration, persistence, destructive, or control-surface mutation behavior. Mark clean despite scanner lifecycle warnings.
Evidence
package.jsondist/index.jsdist/setup.jsdist/config.jsdist/capture.jsREADME.mdnode_modules/better-sqlite3/buildnode_modules/usrcp-core/node_modules/better-sqlite3/buildnode_modules/usrcp-stream/node_modules/better-sqlite3/build~/.usrcp/linear-config.json
Network endpoints1
linear.app/settings/api

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json has postinstall lifecycle removing better-sqlite3 build dirs and running npm rebuild.
  • dist/index.js imports node:child_process, but only for user-invoked --reset-config.
  • dist/index.js reads USRCP_PASSPHRASE and Linear API key config for ledger/API access.
Evidence against
  • No install-time credential/env harvesting or exfiltration found.
  • postinstall is limited to better-sqlite3 native rebuild cleanup under node_modules.
  • Runtime Linear API polling is package-aligned and uses allowlisted teams/authored issues/comments.
  • dist/capture.js appends captured Linear activity to local USRCP ledger only.
  • dist/config.js delegates encrypted config handling to usrcp-adapter-kit.
  • No eval/vm/dynamic payload/native binary loading/persistence/AI-agent control writes found.
Behavioral surface
Source
ChildProcessEnvironmentVars
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 23.6 KB of source, external domains: linear.app

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-core/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream/...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-core/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream/...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 Critical1 High1 Medium2 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumEnvironment Vars
LowScripts Present
LowUrl Strings