← Back to Skills Marketplace
arnarsson

Linear Webhook

by Arnarsson · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
1744
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install linear-webhook
Description
Comment @mason or @eureka in Linear issues to dispatch tasks to agents. Webhook receives Linear comments and routes to correct agent.
README (SKILL.md)

Linear Webhook Skill

Enables Linear issue comment @mentions to dispatch tasks to Clawdbot agents.

How It Works

  1. Comment in Linear: @mason implement user authentication or @eureka plan Q2 roadmap
  2. Linear webhook fires on comment creation
  3. Clawdbot receives webhook via exposed endpoint
  4. Transform parses payload:
    • Extracts @mason or @eureka mention
    • Gets issue context (title, description, labels)
    • Prepares task prompt
  5. Routes to agent session:
    • @mason → mason agent (code/implementation)
    • @eureka → eureka agent (planning/strategy)
  6. Agent processes task and returns result
  7. Result posted back as Linear comment

Setup

1. Configure Clawdbot Webhooks

Add to your config.json5:

{
  hooks: {
    enabled: true,
    token: "your-secret-token-here", // Generate with: openssl rand -base64 32
    path: "/hooks",
    transformsDir: "/home/sven/clawd-mason/skills/linear-webhook",
    mappings: [
      {
        name: "linear",
        match: {
          path: "/linear",
          method: "POST"
        },
        action: "agent",
        transform: {
          module: "./linear-transform.js",
          export: "transformLinearWebhook"
        },
        deliver: false, // Don't auto-deliver to chat - Linear comments handle responses
      }
    ]
  }
}

2. Expose Webhook Endpoint

Use Cloudflare Tunnel or Tailscale Funnel to make webhook publicly accessible:

Option A: Cloudflare Tunnel (Recommended)

# Install if needed
brew install cloudflared

# Start tunnel (replace with your domain)
cloudflared tunnel --url http://localhost:18789

Option B: Tailscale Funnel

# Enable funnel
tailscale funnel 18789

Note the public URL (e.g., https://your-tunnel.trycloudflare.com)

3. Configure Linear Webhook

  1. Go to Linear Settings → API → Webhooks
  2. Click "Create new webhook"
  3. Set URL: https://your-tunnel.trycloudflare.com/hooks/linear
  4. Add custom header: x-clawdbot-token: your-secret-token-here
  5. Select events: Comment → Created
  6. Save webhook

4. Test

Comment in a Linear issue:

@mason add user authentication to the login page

Expected flow:

  1. Webhook fires to Clawdbot
  2. Mason agent receives task
  3. Mason implements or responds
  4. Result posted back to Linear issue as comment

Agent Routing

  • @mason → Code implementation, debugging, technical tasks
  • @eureka → Planning, strategy, research, communication
  • Other mentions → Ignored (not handled)

Issue Context Provided

The agent receives:

  • Issue title
  • Issue description
  • Issue labels
  • Comment text (the @mention)
  • Issue URL
  • Commenter name

Customization

Add More Agents

Edit linear-transform.js:

const AGENT_MENTIONS = {
  '@mason': 'mason',
  '@eureka': 'eureka',
  '@designer': 'designer', // Add your own agents
};

Change Response Behavior

Modify deliver and channel in config:

{
  deliver: true,
  channel: "telegram",
  to: "1878354815", // Your Telegram chat ID
}

This will also send agent responses to Telegram.

Security

  • Never commit hook token to version control
  • Use environment variables: CLAWDBOT_HOOK_TOKEN
  • Verify webhook source (Linear's IP ranges if needed)
  • Use HTTPS only (Cloudflare Tunnel provides this)

Troubleshooting

Webhook not firing

  • Check Linear webhook logs (Settings → API → Webhooks → View logs)
  • Verify tunnel is running: curl https://your-tunnel.trycloudflare.com/hooks/linear
  • Check Clawdbot logs: clawdbot gateway logs

Agent not responding

  • Check transform is loading: Look for errors in gateway logs
  • Verify agent session exists: clawdbot sessions list
  • Test transform manually: node linear-transform.js

Response not posting to Linear

  • Implement Linear API comment posting in transform
  • Add Linear API token to config
  • See linear-transform.js for example

Linear API Access

To post comments back to Linear, you need a Linear API token:

  1. Go to Linear Settings → API → Personal API keys
  2. Create new token with write scope
  3. Add to environment: CLAWDBOT_LINEAR_API_KEY=lin_api_...
  4. Transform will use this to post responses

Files

  • SKILL.md - This documentation
  • linear-transform.js - Webhook payload parser and agent router
  • linear-api.js - Linear GraphQL API client (for posting comments)
  • example-payload.json - Sample Linear webhook payload for testing

References

Usage Guidance
This skill generally does what it says (route @mentions to agents), but there are a few red flags you should act on before installing: - Manifest mismatch: The registry lists no required credentials, but SKILL.md and the code require a webhook token and a Linear API key (and may read agent OAuth tokens). Treat this as a sign the package metadata is incomplete or careless. - Local secret files & hard-coded paths: The code reads ~/.linear_api_key and ~/.config/clawdbot/linear-agent-tokens.json and references /home/sven/… paths. Before use, remove or fix hard-coded paths and prefer environment variables over reading plain files. If you keep a file-based key, ensure its filesystem permissions are strict (600) and it is stored in a secure location. - Shell execution: post-response.js executes the Clawdbot CLI and the code shows examples that run node -e with require() to call postLinearComment. Review those commands and avoid running arbitrary node -e snippets from untrusted sources. - Least privilege: Provide the Linear API token with the minimal scopes needed (write only where necessary) and consider using a dedicated Linear bot account instead of a personal API key. Rotate tokens and revoke them if you stop using the skill. - Network exposure: The instructions recommend Cloudflare Tunnel / Tailscale Funnel. If you expose a webhook, ensure the webhook endpoint requires the CLAWDBOT_HOOK_TOKEN header and restrict incoming sources if possible. - Code review: Because the skill was published from an unknown source, review the included JS scripts for any additional hidden network endpoints or data exfiltration paths (the current files do not point to suspicious external endpoints, but they do read and use local secrets). If you cannot review the code, run it in an isolated environment/container and limit its network and filesystem access. - Suggested changes before production use: - Update the skill metadata to declare required env vars (CLAWDBOT_HOOK_TOKEN, LINEAR_API_KEY) so the registry is honest about secrets needed. - Replace file-based secret reads with well-documented environment variable usage and explicit config paths. - Remove hard-coded absolute paths; make module import paths relative or configurable. - Add comment/response posting to use a dedicated app-level token and confirm how attribution is handled. If you accept those mitigations (or can run the skill in a sandboxed environment), the skill appears usable. Without those changes, treat it cautiously and avoid placing production secrets where the code expects them.
Capability Analysis
Type: OpenClaw Skill Name: linear-webhook Version: 1.0.0 The skill is classified as suspicious due to its high susceptibility to prompt injection, which could lead to unauthorized command execution and data exfiltration. Specifically, the `linear-transform.js` file constructs a task message for the AI agent that includes a 'MANDATORY' instruction to execute a shell command: `LINEAR_API_KEY=$(cat ~/.linear_api_key) node -e "..."`. This command reads a sensitive API key directly from a file (`~/.linear_api_key`) and executes Node.js code. While intended for the benign purpose of posting agent responses back to Linear, this mechanism provides a direct avenue for an attacker to inject malicious commands into the agent's response, potentially leading to arbitrary code execution or exfiltration of sensitive data beyond the Linear API key.
Capability Assessment
Purpose & Capability
Name/description match the code: it parses Linear comment webhooks and routes to agents. However, the registry lists no required environment variables or credentials while SKILL.md and the code require a hook token, a Linear API key, and optionally agent OAuth tokens. The code also references hard-coded paths (e.g., /home/sven/clawd-mason/..., ~/.linear_api_key) which are environment-specific and not appropriate to be undeclared.
Instruction Scope
Runtime instructions and the transform build a task that explicitly tells operators/agents to read local secret files (cat ~/.linear_api_key) and run node -e code that requires the skill module. The code itself reads ~/.linear_api_key and ~/.config/clawdbot/linear-agent-tokens.json, and post-response.js spawns shell commands (clawdbot sessions history). These behaviors extend beyond simple webhook parsing into reading local secrets and running shell commands.
Install Mechanism
There is no install spec (instruction-only with bundled code), so the skill does not download remote artifacts during install. That lowers install-time risk. It does assume external tools (cloudflared/tailscale, clawdbot CLI, Node.js) are present but does not install them itself.
Credentials
Registry metadata declares no required env vars, but SKILL.md and code require/encourage: CLAWDBOT_HOOK_TOKEN, LINEAR_API_KEY or CLAWDBOT_LINEAR_API_KEY, and possibly agent OAuth tokens stored under ~/.config. The code prefers reading secrets from disk (~/.linear_api_key), which increases risk and is disproportionate to a simple webhook transform. The skill also logs and prints task content (may include issue contents) and therefore has access to potentially sensitive project data.
Persistence & Privilege
always is false (normal) and the skill does not request to alter other skills or system-wide configs. However, bundled scripts reference absolute paths and local token files, which imply assumptions about filesystem layout and persistent storage of credentials; run-time file reads grant it access to secrets in the user's home directory.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install linear-webhook
  3. After installation, invoke the skill by name or use /linear-webhook
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of linear-webhook skill. - Enables dispatching tasks to Clawdbot agents through @mentions in Linear issue comments. - Webhook listens for Linear comment events and routes tasks to the correct agent (e.g., @mason for implementation, @eureka for strategy). - Includes detailed setup and configuration instructions for webhooks, agent routing, and security. - Supports customization for adding more agents and changing response behavior. - Provides troubleshooting and Linear API integration guidance.
Metadata
Slug linear-webhook
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Linear Webhook?

Comment @mason or @eureka in Linear issues to dispatch tasks to agents. Webhook receives Linear comments and routes to correct agent. It is an AI Agent Skill for Claude Code / OpenClaw, with 1744 downloads so far.

How do I install Linear Webhook?

Run "/install linear-webhook" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Linear Webhook free?

Yes, Linear Webhook is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Linear Webhook support?

Linear Webhook is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Linear Webhook?

It is built and maintained by Arnarsson (@arnarsson); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments