Minor suggestion: Refine logging of environment variable keys #10
Description
Hello,
In preparation for using linear mcp, we recently conducted a vibe-analysis 😉 of the entire codebase using Gemini 2.5 (version 1.0.9).
During this analysis, we identified a few very minor issues or potential improvements, which we've detailed below.
This analysis also suggests that, aside from these specific points, the 1.0.9 MCP server distribution is quite reliable.
Having completed this comprehensive review, we wanted to share these extremely minor potential improvements in case they are helpful.
Gemini 2.5 pointed out 5-ish concerns but I've pruned those 4 less problematic ones:
Linear API Token Management: Linear API token exposed via command-line arguments. (what's the alternative then, Gemini? 🤷)Sensitive Information Exposure: Sensitive PII like user emails exposed in tool output. (duh)Input Validation and Sanitization: Lack of input validation and sanitization can lead to XSS vulnerabilities. (marginally, yes. All LLMs do.)Error Logging: Full error object logging may expose sensitive internal information. (also kinda marginal)
Concern: When the API token is not found, the application logs keys of environment variables that include "LINEAR" (src/utils/config.ts). This could inadvertently reveal the existence of other sensitive environment variables if they follow a similar naming convention.
Example:
If a sensitive key like LINEAR_WEBHOOK_SECRET exists in the environment, its name will be logged, indicating its presence even if the value is not logged.
Recommendation:
- Remove or refine the logging logic to avoid exposing environment variable keys, especially those that might indicate the presence of sensitive information.