ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Linear Todos

v1.1.0

A CLI tool that executes Python source code to manage todos via Linear's API. Creates tasks with natural language dates, priorities, and scheduling. This is...

0· 700·0 current·1 all-time
byKyle Holzinger@avegancafe
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: the package contains a Python CLI that calls Linear's GraphQL API. Required credential (LINEAR_API_KEY) and the declared config path (~/.config/linear-todos/config.json) are appropriate for the stated functionality.
Instruction Scope
Runtime instructions and code are mostly scoped to Linear API operations and local config. One scope extension: the config code can attempt to read an OpenClaw workspace USER.md (searching up to 5 parent directories) to infer a timezone; this is declared in SKILL.md but is additional local file access beyond the config file. Also the setup wizard temporarily sets LINEAR_API_KEY in-process to validate the key (documented).
Install Mechanism
Install metadata uses 'uv' (an existing tool). The skill is source-execution (bundled Python) with no external downloads performed by the skill itself. pyproject lists normal Python deps (click, dateparser, requests). The README suggests installing 'uv' via its installer script, but that is a separate tool-install recommendation and not part of this skill's install spec.
Credentials
Only LINEAR_API_KEY is required (primary credential), which is proportional. Optional LINEAR_* env vars are reasonable. Minor caveat: the code checks additional environment variables (XDG_CONFIG_HOME for config dir, and a test toggle LINEAR_TODOS_NO_USERMD_FALLBACK) that are not listed in the requires.env table; the latter is a harmless testing toggle but is an undocumented env-var the code reads.
Persistence & Privilege
always is false. The skill writes a plaintext JSON config only when the user runs the interactive 'setup' command; file permissions are set to user read/write (0o600). It does not auto-install cron jobs or modify other skills or system settings.
Assessment
This skill appears to do what it says: it runs bundled Python code to manage Linear issues and only contacts api.linear.app. Before installing or running setup: 1) prefer setting LINEAR_API_KEY in your environment rather than running the interactive setup to avoid writing the API key to disk; 2) if you must run setup, be aware it will store the key in plaintext at ~/.config/linear-todos/config.json with 0o600 permissions; 3) the code may read a workspace USER.md (to infer timezone) — if that file contains sensitive information you do not want read, avoid installing this skill in that workspace or set LINEAR_TODOS_NO_USERMD_FALLBACK=1; 4) review src/linear_todos/api.py yourself to confirm it only calls api.linear.app; 5) as a best practice, create and use a dedicated Linear API token with minimal scope and be prepared to revoke it if you stop using the skill. If you want extra assurance, run the initial setup in an isolated container/VM.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dvf549e9bnjbb7m3sbq19qh81dw41

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvLINEAR_API_KEY
Config~/.config/linear-todos/config.json
Primary envLINEAR_API_KEY

Install

Linear Todos CLI

Comments