Maverick Linear MCPorter
ReviewAudited by ClawScan on May 3, 2026.
Overview
This is a coherent Linear integration, but users should notice that it stores Linear OAuth tokens locally and can make team-visible changes in Linear.
Install only if you trust the mcporter dependency and are comfortable granting this integration Linear OAuth access. Pin mcporter if you need strict supply-chain control, keep token environment variables and `~/.mcporter/credentials.json` protected, and confirm before allowing the agent to create or update Linear items.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the agent could create comments or change Linear items that teammates can see.
The skill can mutate Linear work items, which is appropriate for its purpose, and it includes a user-intent safeguard for writes.
Write operations (`create_issue`, `update_issue`, `create_comment`, label/cycle/project changes, etc.) modify Linear work items visible to your team. Confirm clear user intent before invoking write tools
Use write tools only after the user clearly asks for a specific Linear change, and review Linear activity after first use.
The skill can act with the Linear permissions associated with the provided OAuth tokens, and those tokens persist locally for future calls.
The initializer reads Linear OAuth credentials from environment variables and stores them in mcporter's local credential vault.
mcp_vault="${HOME}/.mcporter/credentials.json" ... tokens: {access_token: env.mcp_access, refresh_token: env.mcp_refresh, token_type: "Bearer"}Provide only the intended Linear integration credentials, protect `~/.mcporter/credentials.json`, and revoke or rotate the OAuth grant if access is no longer needed.
Future mcporter package changes could affect behavior without a skill update.
The dependency is disclosed, but installing npm latest means the reviewed skill does not fix the exact mcporter version that will run.
The install spec uses unpinned `mcporter` (npm `latest`); operators with strict supply-chain controls should override the install to pin a specific version
Pin `mcporter` to a reviewed version in controlled environments.
Linear will receive the issue, project, and comment data included in tool calls.
The skill sends Linear-related request data to Linear's hosted MCP endpoint; this is disclosed and aligned with the integration.
Tool calls travel to Linear's hosted MCP service at `https://mcp.linear.app/mcp` over HTTPS, authenticated via OAuth. Linear sees the issue/project/comment data referenced by each call.
Use this skill only for Linear-related content and avoid passing unrelated sensitive information through the Linear MCP tools.