Maverick Linear Mcp
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: maverick-linear-mcp Version: 1.0.0 The skill is a legitimate integration for Linear's official Model Context Protocol (MCP) server. The included scripts, scripts/init-mcporter.sh and scripts/invoke.sh, are well-engineered wrappers for the 'mcporter' utility, handling OAuth token seeding into a local vault (~/.mcporter/credentials.json) with proper security practices such as atomic writes, file locking for concurrency, and the use of environment variables in jq to prevent credential leakage in process listings. The behavior is entirely consistent with the stated purpose of managing Linear workspace data.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on an ambiguous or mistaken request, the agent could create, update, or delete team-visible Linear data.
The skill intentionally exposes Linear’s live MCP tool catalog, including mutation tools. This is disclosed and purpose-aligned, and the instructions require clear user intent for writes/deletes.
Call any tool from the catalog ... Write/delete tools (`save_*`, `delete_*`, `create_*`) modify workspace data visible to the user's team — confirm clear user intent before invoking them.
Use clear requests for write actions, review tool names and arguments, and require explicit confirmation before create/update/delete operations.
The skill can act with the permissions granted to the Linear OAuth integration.
The skill uses delegated OAuth credentials and persists them in mcporter’s vault so it can act against the user’s Linear workspace.
Credentials are available to the agent runtime through required env vars. The wrapper seeds mcporter's vault as needed before each call. mcporter then reads tokens from the vault, sends them with each request, and refreshes them on expiry.
Authorize only the intended Linear workspace, use the least-privileged grant available, and revoke or rotate the OAuth grant if the skill is no longer needed.
Installation trust depends on the current mcporter package resolved by the package manager.
The install mechanism depends on an external Node package and the artifact does not pin a specific version.
node | package: mcporter | creates binaries: mcporter
Install from the expected package source and prefer a pinned or reviewed mcporter version in controlled environments.
Linear receives the issue, project, comment, and other workspace data referenced in tool calls.
The skill sends OAuth-authenticated MCP calls to Linear’s hosted endpoint; this external data flow is disclosed and matches the stated purpose.
"baseUrl": "https://mcp.linear.app/mcp", "transport": "http", "auth": "oauth"
Use the skill only for Linear-related work and avoid sending unrelated sensitive content through Linear MCP tools.