Linear
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears coherent and purpose-aligned, but it can read and change Linear workspace data using your Linear API key.
Install this only if you are comfortable granting a dedicated Linear API key to a local CLI that can read and update Linear workspace records. Keep changes narrowly scoped, confirm IDs before updates, avoid secrets in Linear issue text, and use the included lockfile for dependency installation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong IDs or scope, the skill could create or modify Linear issues/projects/comments in ways that affect team workflows.
The CLI can create and update Linear records. This is disclosed and matches the skill purpose, but it can still materially change workspace data.
async createIssue(...) { ... client.createIssue(...) } ... async updateIssue(issueId, updates) { ... client.updateIssue(issueId, updateData); }Confirm team/project/issue IDs and requested changes before mutations, especially for bulk updates; review the final change summary.
Anyone running the skill with that environment variable can act through the configured Linear API key.
The skill uses a local Linear API key as delegated account authority. The credential use is expected and not hardcoded, but it grants access according to the token's Linear permissions.
const apiKey = process.env.LINEAR_API_KEY; ... const client = new LinearClient({ apiKey });Use a dedicated, least-privilege Linear token for automation and rotate it if it is exposed or shared.
The installed SDK runs locally and is part of the path that uses the Linear API key.
The skill depends on the external @linear/sdk package from npm. This is expected for the stated purpose and the lockfile provides version and integrity information.
"node_modules/@linear/sdk": { "version": "71.0.0", "resolved": "https://registry.npmjs.org/@linear/sdk/-/sdk-71.0.0.tgz", "integrity": "sha512-Fm3C6..." }Install using the included lockfile and review dependency updates before upgrading.
Linear comments or descriptions may be visible to the agent and could influence its recommendations or actions.
The skill returns Linear issue descriptions and comments to the agent context. This is necessary for Linear work, but those fields can contain sensitive or untrusted workspace text.
description: issue.description, ... comments: comments.nodes.map(c => ({ id: c.id, body: c.body, user: c.user?.name, createdAt: c.createdAt }))Do not put secrets in Linear issue text, and treat issue/comment content as project data rather than authoritative instructions.