ClawHub

Linear CLI

v0.1.0

Linear CLI skill for OpenClaw workflows, powered by Api2Cli (a2c) against Linear's GraphQL API. Provides a wrapper script that generates its a2c workspace co...

0· 475·4 current·4 all-time
bySimon van Laak@simonvanlaak
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md and README claim the skill provides a wrapper script (./scripts/linear) and an a2c workspace (a2c/config.xfer). However the published package only contains README.md and SKILL.md — no scripts or config files are present. That makes the claimed capability unsupported by the files included. Additionally, the registry metadata lists no required env vars, while SKILL.md explicitly requires LINEAR_API_KEY (mismatch). Requesting a Linear API key itself is proportional to the stated purpose, but the claim that the package 'provides' files is not backed by the archive.
!
Instruction Scope
Runtime instructions tell the agent/user to run ./scripts/linear and to rely on a2c/config.xfer. Those files are not present in the published files, and there are no instructions explaining how or when they will be generated. Apart from that mismatch, the instructions themselves are narrowly scoped to calling the Linear GraphQL API via a2c and only reference LINEAR_API_KEY — there are no broad data-collection or unrelated-system-read directives.
Install Mechanism
There is no install spec (instruction-only skill), which is low-risk. The declared runtime dependency is a2c on PATH; that's reasonable and expected. No downloads or archive extraction are present in the package.
!
Credentials
SKILL.md requires a LINEAR_API_KEY environment variable, which is proportionate for a Linear CLI. However the registry metadata and manifest claim no required env vars and no primary credential — this inconsistency is a red flag. Confirming which env vars are truly required and why would be necessary. No other credentials are requested.
Persistence & Privilege
The skill does not request elevated persistence: always is false and there are no config paths or system-wide changes requested. No automatic autonomous invocation privilege issues beyond the platform default.
What to consider before installing
Do not install or run this skill until the author clarifies and provides the missing files. Specifically: (1) ask for the actual scripts (./scripts/linear) and a2c/config.xfer or a clear, auditable generator that will create them at install/run time; (2) confirm that LINEAR_API_KEY is required and update the registry metadata to declare it as a required credential; (3) if a generator will write files at runtime, get the generator source so you can review it — ensure it does not download or execute arbitrary code from untrusted URLs; (4) if you proceed, use a least-privilege Linear API token and review network activity; and (5) prefer a version that includes all code files or an explicit, reviewable install script rather than an instruction-only package claiming to 'provide' files that are not present.

Like a lobster shell, security has layers — review code before you run it.

latestvk97178fprtdjjy3r1xt9bwjqzs81xp82

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments