Linear Issues
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real Linear integration, but it uses a Linear API key to change workspace issues and builds some API requests from unescaped text.
Review this skill before installing. It is purpose-aligned for Linear, but it can modify real workspace issues and should escape API inputs more safely. If you use it, provide the narrowest Linear token you can and confirm create, update, and comment actions before running them.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted title, description, or comment could make the Linear API request fail or potentially perform a different mutation using the user's Linear token.
User-supplied fields such as title, description, search text, and comment body are inserted directly into GraphQL/JSON strings instead of being escaped or sent as variables.
local input="teamId: \\\"$team_id\\\", title: \\\"$title\\\"" ... gql "{\"query\": \"mutation { issueCreate(input: { $input })Use GraphQL variables and JSON-safe construction, such as jq --arg or a real GraphQL client, and require review before create/update/comment actions.
Installing and using the skill gives the assistant whatever Linear access the API key has, including creating issues, changing statuses, adding comments, and listing users.
The skill needs the user's Linear API key to access and mutate Linear workspace data; this is purpose-aligned but sensitive.
Store API key in `~/.clawdbot/credentials/linear.json`: {"apiKey": "lin_api_..."}Use a least-privilege Linear API key if available, store it securely, and review requested mutations before allowing the assistant to run them.