Linear 1.0.0
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward Linear integration, but it uses your Linear API key to read and change workspace issues and caches team information locally.
Install only if you trust the publisher and are comfortable giving the agent access to your Linear workspace. Prefer a least-privileged API key, require confirmation before create/comment/status/assign/priority actions, and be aware that team metadata is cached locally.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the agent could make unintended changes to Linear issues or team workflows.
The skill clearly exposes commands that can create issues, add comments, change status, and reassign work in Linear. This is purpose-aligned, but it can mutate team workflow data.
{baseDir}/scripts/linear.sh create <TEAM_KEY> "Title" ...
{baseDir}/scripts/linear.sh comment <TEAM-123> "Comment text"
{baseDir}/scripts/linear.sh status <TEAM-123> <todo|progress|review|done|blocked>
{baseDir}/scripts/linear.sh assign <TEAM-123> <userName>Use this skill with explicit user approval for write actions, and verify team keys, issue IDs, assignees, and status changes before running mutation commands.
Anyone or any agent action using this skill can act within the Linear permissions granted to that API key.
The helper uses the provided Linear API key as the authorization credential for API calls. This is expected for the integration and no unrelated transmission is shown, but it gives the skill whatever Linear permissions the key has.
-H "Authorization: $LINEAR_API_KEY"
Use the least-privileged Linear API key available, keep it out of logs and shared shells, and rotate it if exposure is suspected.
Local team metadata may remain on disk, and a stale or tampered cache could cause commands to resolve a team incorrectly.
The script persists Linear team IDs, keys, and names in a local /tmp cache. This is disclosed in SKILL.md as cached team lookup, but the default cache location and permissions are not described.
TEAMS_CACHE="${LINEAR_TEAMS_CACHE:-/tmp/linear-teams-${cache_key}.json}"
...
gql "{ teams { nodes { id key name } } }" > "$TEAMS_CACHE"Refresh the team cache when teams change, consider setting LINEAR_TEAMS_CACHE to a user-private path, and delete the cache if the machine is shared.
The skill may fail unexpectedly or rely on whatever curl and jq binaries are available on the user's PATH.
The script documents runtime dependencies on curl and jq, while the provided requirements list no required binaries. This is a dependency declaration gap rather than evidence of malicious behavior.
# Requires: LINEAR_API_KEY, curl, jq
Install curl and jq from trusted sources, and the publisher should declare these runtime dependencies in metadata.