← 返回 Skills 市场
1744
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install linear-webhook
功能描述
Comment @mason or @eureka in Linear issues to dispatch tasks to agents. Webhook receives Linear comments and routes to correct agent.
使用说明 (SKILL.md)
Linear Webhook Skill
Enables Linear issue comment @mentions to dispatch tasks to Clawdbot agents.
How It Works
- Comment in Linear:
@mason implement user authenticationor@eureka plan Q2 roadmap - Linear webhook fires on comment creation
- Clawdbot receives webhook via exposed endpoint
- Transform parses payload:
- Extracts @mason or @eureka mention
- Gets issue context (title, description, labels)
- Prepares task prompt
- Routes to agent session:
- @mason →
masonagent (code/implementation) - @eureka →
eurekaagent (planning/strategy)
- @mason →
- Agent processes task and returns result
- Result posted back as Linear comment
Setup
1. Configure Clawdbot Webhooks
Add to your config.json5:
{
hooks: {
enabled: true,
token: "your-secret-token-here", // Generate with: openssl rand -base64 32
path: "/hooks",
transformsDir: "/home/sven/clawd-mason/skills/linear-webhook",
mappings: [
{
name: "linear",
match: {
path: "/linear",
method: "POST"
},
action: "agent",
transform: {
module: "./linear-transform.js",
export: "transformLinearWebhook"
},
deliver: false, // Don't auto-deliver to chat - Linear comments handle responses
}
]
}
}
2. Expose Webhook Endpoint
Use Cloudflare Tunnel or Tailscale Funnel to make webhook publicly accessible:
Option A: Cloudflare Tunnel (Recommended)
# Install if needed
brew install cloudflared
# Start tunnel (replace with your domain)
cloudflared tunnel --url http://localhost:18789
Option B: Tailscale Funnel
# Enable funnel
tailscale funnel 18789
Note the public URL (e.g., https://your-tunnel.trycloudflare.com)
3. Configure Linear Webhook
- Go to Linear Settings → API → Webhooks
- Click "Create new webhook"
- Set URL:
https://your-tunnel.trycloudflare.com/hooks/linear - Add custom header:
x-clawdbot-token: your-secret-token-here - Select events: Comment → Created
- Save webhook
4. Test
Comment in a Linear issue:
@mason add user authentication to the login page
Expected flow:
- Webhook fires to Clawdbot
- Mason agent receives task
- Mason implements or responds
- Result posted back to Linear issue as comment
Agent Routing
- @mason → Code implementation, debugging, technical tasks
- @eureka → Planning, strategy, research, communication
- Other mentions → Ignored (not handled)
Issue Context Provided
The agent receives:
- Issue title
- Issue description
- Issue labels
- Comment text (the @mention)
- Issue URL
- Commenter name
Customization
Add More Agents
Edit linear-transform.js:
const AGENT_MENTIONS = {
'@mason': 'mason',
'@eureka': 'eureka',
'@designer': 'designer', // Add your own agents
};
Change Response Behavior
Modify deliver and channel in config:
{
deliver: true,
channel: "telegram",
to: "1878354815", // Your Telegram chat ID
}
This will also send agent responses to Telegram.
Security
- Never commit hook token to version control
- Use environment variables:
CLAWDBOT_HOOK_TOKEN - Verify webhook source (Linear's IP ranges if needed)
- Use HTTPS only (Cloudflare Tunnel provides this)
Troubleshooting
Webhook not firing
- Check Linear webhook logs (Settings → API → Webhooks → View logs)
- Verify tunnel is running:
curl https://your-tunnel.trycloudflare.com/hooks/linear - Check Clawdbot logs:
clawdbot gateway logs
Agent not responding
- Check transform is loading: Look for errors in gateway logs
- Verify agent session exists:
clawdbot sessions list - Test transform manually:
node linear-transform.js
Response not posting to Linear
- Implement Linear API comment posting in transform
- Add Linear API token to config
- See
linear-transform.jsfor example
Linear API Access
To post comments back to Linear, you need a Linear API token:
- Go to Linear Settings → API → Personal API keys
- Create new token with
writescope - Add to environment:
CLAWDBOT_LINEAR_API_KEY=lin_api_... - Transform will use this to post responses
Files
SKILL.md- This documentationlinear-transform.js- Webhook payload parser and agent routerlinear-api.js- Linear GraphQL API client (for posting comments)example-payload.json- Sample Linear webhook payload for testing
References
安全使用建议
This skill generally does what it says (route @mentions to agents), but there are a few red flags you should act on before installing:
- Manifest mismatch: The registry lists no required credentials, but SKILL.md and the code require a webhook token and a Linear API key (and may read agent OAuth tokens). Treat this as a sign the package metadata is incomplete or careless.
- Local secret files & hard-coded paths: The code reads ~/.linear_api_key and ~/.config/clawdbot/linear-agent-tokens.json and references /home/sven/… paths. Before use, remove or fix hard-coded paths and prefer environment variables over reading plain files. If you keep a file-based key, ensure its filesystem permissions are strict (600) and it is stored in a secure location.
- Shell execution: post-response.js executes the Clawdbot CLI and the code shows examples that run node -e with require() to call postLinearComment. Review those commands and avoid running arbitrary node -e snippets from untrusted sources.
- Least privilege: Provide the Linear API token with the minimal scopes needed (write only where necessary) and consider using a dedicated Linear bot account instead of a personal API key. Rotate tokens and revoke them if you stop using the skill.
- Network exposure: The instructions recommend Cloudflare Tunnel / Tailscale Funnel. If you expose a webhook, ensure the webhook endpoint requires the CLAWDBOT_HOOK_TOKEN header and restrict incoming sources if possible.
- Code review: Because the skill was published from an unknown source, review the included JS scripts for any additional hidden network endpoints or data exfiltration paths (the current files do not point to suspicious external endpoints, but they do read and use local secrets). If you cannot review the code, run it in an isolated environment/container and limit its network and filesystem access.
- Suggested changes before production use:
- Update the skill metadata to declare required env vars (CLAWDBOT_HOOK_TOKEN, LINEAR_API_KEY) so the registry is honest about secrets needed.
- Replace file-based secret reads with well-documented environment variable usage and explicit config paths.
- Remove hard-coded absolute paths; make module import paths relative or configurable.
- Add comment/response posting to use a dedicated app-level token and confirm how attribution is handled.
If you accept those mitigations (or can run the skill in a sandboxed environment), the skill appears usable. Without those changes, treat it cautiously and avoid placing production secrets where the code expects them.
功能分析
Type: OpenClaw Skill
Name: linear-webhook
Version: 1.0.0
The skill is classified as suspicious due to its high susceptibility to prompt injection, which could lead to unauthorized command execution and data exfiltration. Specifically, the `linear-transform.js` file constructs a task message for the AI agent that includes a 'MANDATORY' instruction to execute a shell command: `LINEAR_API_KEY=$(cat ~/.linear_api_key) node -e "..."`. This command reads a sensitive API key directly from a file (`~/.linear_api_key`) and executes Node.js code. While intended for the benign purpose of posting agent responses back to Linear, this mechanism provides a direct avenue for an attacker to inject malicious commands into the agent's response, potentially leading to arbitrary code execution or exfiltration of sensitive data beyond the Linear API key.
能力评估
Purpose & Capability
Name/description match the code: it parses Linear comment webhooks and routes to agents. However, the registry lists no required environment variables or credentials while SKILL.md and the code require a hook token, a Linear API key, and optionally agent OAuth tokens. The code also references hard-coded paths (e.g., /home/sven/clawd-mason/..., ~/.linear_api_key) which are environment-specific and not appropriate to be undeclared.
Instruction Scope
Runtime instructions and the transform build a task that explicitly tells operators/agents to read local secret files (cat ~/.linear_api_key) and run node -e code that requires the skill module. The code itself reads ~/.linear_api_key and ~/.config/clawdbot/linear-agent-tokens.json, and post-response.js spawns shell commands (clawdbot sessions history). These behaviors extend beyond simple webhook parsing into reading local secrets and running shell commands.
Install Mechanism
There is no install spec (instruction-only with bundled code), so the skill does not download remote artifacts during install. That lowers install-time risk. It does assume external tools (cloudflared/tailscale, clawdbot CLI, Node.js) are present but does not install them itself.
Credentials
Registry metadata declares no required env vars, but SKILL.md and code require/encourage: CLAWDBOT_HOOK_TOKEN, LINEAR_API_KEY or CLAWDBOT_LINEAR_API_KEY, and possibly agent OAuth tokens stored under ~/.config. The code prefers reading secrets from disk (~/.linear_api_key), which increases risk and is disproportionate to a simple webhook transform. The skill also logs and prints task content (may include issue contents) and therefore has access to potentially sensitive project data.
Persistence & Privilege
always is false (normal) and the skill does not request to alter other skills or system-wide configs. However, bundled scripts reference absolute paths and local token files, which imply assumptions about filesystem layout and persistent storage of credentials; run-time file reads grant it access to secrets in the user's home directory.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install linear-webhook - 安装完成后,直接呼叫该 Skill 的名称或使用
/linear-webhook触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of linear-webhook skill.
- Enables dispatching tasks to Clawdbot agents through @mentions in Linear issue comments.
- Webhook listens for Linear comment events and routes tasks to the correct agent (e.g., @mason for implementation, @eureka for strategy).
- Includes detailed setup and configuration instructions for webhooks, agent routing, and security.
- Supports customization for adding more agents and changing response behavior.
- Provides troubleshooting and Linear API integration guidance.
元数据
常见问题
Linear Webhook 是什么?
Comment @mason or @eureka in Linear issues to dispatch tasks to agents. Webhook receives Linear comments and routes to correct agent. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1744 次。
如何安装 Linear Webhook?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install linear-webhook」即可一键安装,无需额外配置。
Linear Webhook 是免费的吗?
是的,Linear Webhook 完全免费(开源免费),可自由下载、安装和使用。
Linear Webhook 支持哪些平台?
Linear Webhook 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Linear Webhook?
由 Arnarsson(@arnarsson)开发并维护,当前版本 v1.0.0。
推荐 Skills