Linear Todos
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent Linear todo CLI, but it needs a Linear API key and can create or update Linear tasks when invoked.
Install only if you are comfortable letting an agent manage Linear todos with your API key. Prefer an environment variable over saved plaintext config, use a dedicated revocable Linear key, verify the configured team/state IDs, and do not add the optional cron examples unless you want scheduled runs.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill can create todos, mark them done, or change due dates in Linear.
The CLI performs create and update operations against Linear issues, so invoking it can change workspace todo data.
result = api.create_issue(...); ... result = api.update_issue(issue_id, state_id=done_state_id)
Use it for explicit todo-management requests, verify the configured team and state IDs, and review ambiguous or broad task changes before allowing them.
Anyone who can read that config file could use the stored Linear API key within its granted permissions.
The skill requires a Linear API key and may persist it locally in plaintext, even though this is disclosed and user-directed.
stores your Linear API key in plaintext JSON at `~/.config/linear-todos/config.json` only if you run the `setup` command
Prefer the LINEAR_API_KEY environment variable, use a dedicated minimal-scope Linear key, and revoke the key if you stop using the skill.
Future dependency resolution could install different package versions than the author tested.
Runtime dependencies are declared with version ranges, so installation may resolve newer third-party package versions.
dependencies = ["click>=8.3.1", "dateparser>=1.3.0", "requests>=2.32.5"]
Install from a trusted source, consider using a lockfile or controlled environment, and review dependency provenance if this will run in a sensitive workspace.
Running the skill executes bundled Python code with the user's local environment and Linear credential access.
This is a source-execution skill rather than instruction-only; the behavior is explicitly disclosed and central to the CLI.
The agent runs Python code from `src/linear_todos/` when you invoke CLI commands.
Review the included source, especially api.py and config.py, before first use.
A modified USER.md timezone could affect scheduled due dates, though the code only extracts a timezone-like value and does not send USER.md content to other services.
If no timezone is configured, the skill reads OpenClaw USER.md and extracts a timezone value, so persistent profile content can influence date calculations.
content = user_md.read_text(); match = re.search(r'(?:timezone|time.?zone)...', content, re.IGNORECASE)
Set LINEAR_TIMEZONE explicitly or use LINEAR_TODOS_NO_USERMD_FALLBACK=1 if you do not want the skill reading USER.md.