Linear
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent Linear integration with expected API-key access and issue-management actions, but users should treat it as write-capable and note its local team cache.
Install this only if you want the agent to access Linear with your API key and potentially update issues. Prefer a least-privileged key, confirm write actions before they run, and use a private cache path if local team metadata should not be stored under /tmp.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill with a write-capable Linear key lets the agent read and modify Linear workspace data within that key's permissions.
The script sends the configured Linear API key as the authorization header to Linear's GraphQL endpoint; this is expected for the integration but gives the skill whatever access that key has.
-H "Authorization: $LINEAR_API_KEY"
Use the least-privileged Linear API key available, keep it out of logs and shared shells, and rotate it if it may have been exposed.
Mistaken or overly broad use could create unwanted issues or change team workflow state in Linear.
The documented actions can create issues, add comments, and change issue state, assignment, or priority. This matches the stated Linear management purpose, but these are real workspace mutations.
linear.sh create ...; linear.sh comment ...; linear.sh status ...; linear.sh assign ...; linear.sh priority ...
Ask the agent to show and confirm write actions before running them, especially status, assignment, priority, and comment changes.
Local team names, keys, and IDs may persist between runs and could be stale or visible depending on local file permissions.
The script stores discovered Linear team metadata in a local cache file under /tmp by default; SKILL.md also discloses that team keys and IDs are cached locally.
TEAMS_CACHE="${LINEAR_TEAMS_CACHE:-/tmp/linear-teams-${cache_key}.json}"Set LINEAR_TEAMS_CACHE to a private path if team metadata is sensitive, and clear or refresh the cache when workspace membership changes.