ClawHub

Linear

v1.0.0

Query and manage Linear issues, projects, and team workflows.

19· 10.6k·120 current·123 all-time
by@manuelhettich
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is a CLI wrapper around Linear's GraphQL API and legitimately needs LINEAR_API_KEY. However, the included bash script requires curl, jq, and cksum at runtime (and the SKILL.md mentions curl/jq), while the registry metadata lists no required binaries — that's a metadata mismatch that could confuse installers.
Instruction Scope
Runtime instructions and the script confine activity to the Linear GraphQL endpoint (https://api.linear.app/graphql) and local caching. The script does not attempt to read arbitrary user files, send data to unexpected third-party endpoints, or perform obfuscated actions. It does create a cache file in /tmp by default (derived from a checksum of your API key).
Install Mechanism
No install spec (instruction-only plus an included bash script). Nothing is downloaded from external URLs and no archives are extracted. Risk from installation is low — but the script assumes curl and jq are available on the system.
Credentials
The only required environment variable declared in the registry is LINEAR_API_KEY, which is appropriate. The SKILL.md and script also reference optional vars (LINEAR_DEFAULT_TEAM and LINEAR_TEAMS_CACHE) that are not listed in the registry metadata; this is not a security problem but is a documentation gap. The script derives a cache filename from the API key (cksum) and writes cached team data to /tmp by default, which could leave a recoverable artifact tied to your key.
Persistence & Privilege
The skill is not always: true and does not attempt to modify other skills or system-wide settings. It writes only its own cache file and has no elevated privileges.
Assessment
This skill appears to do what it says: it calls Linear's GraphQL API and requires your LINEAR_API_KEY. Before installing: 1) Inspect the included scripts (scripts/linear.sh) yourself — they use curl and jq, so ensure those binaries are present. 2) Be aware the script caches team info in /tmp by default using a filename derived from a checksum of your API key; if that is a concern set LINEAR_TEAMS_CACHE to a safer path or clear the cache after use. 3) Only provide an API key with the minimum necessary permissions and rotate it if you suspect misuse. 4) Note the registry metadata omits required binaries and optional env vars (LINEAR_DEFAULT_TEAM, LINEAR_TEAMS_CACHE); this is a documentation mismatch, not an indicator of malicious behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk975z7zta3ydyvzvvy3bw5n2nn7ypds9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
EnvLINEAR_API_KEY

Comments