Skillv1.0.0

ClawScan security

Linear 1.0.0 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 15, 2026, 2:35 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is a coherent Linear CLI wrapper that only needs your LINEAR_API_KEY and uses the Linear GraphQL API; the requested access and actions match the skill's stated purpose, with a few small hygiene issues to check before installing.
Guidance: What to check before installing: - Review the full scripts/linear.sh file (the manifest view here was truncated) to ensure there is no unexpected behavior or hidden endpoints. - Confirm curl and jq are present on the host (the script requires them) and update the skill metadata if needed. - Verify the LINEAR_API_KEY you supply has the minimal scopes needed (use a limited-scope token) because the script sends that key in Authorization headers to api.linear.app. - Be aware the script caches team data in /tmp using a checksum-derived filename based on the API key; this cache is local but you may want to control its location via LINEAR_TEAMS_CACHE if you have security policies about /tmp contents. - Check the owner/source (homepage is correct for Linear, but ownerId in _meta.json differs from the registry owner id shown) — prefer skills from a known repository or vendor when possible. - If you plan to allow autonomous agent invocation, remember the agent could call these operations automatically; limit the API key scope accordingly. If anything in the full script looks unexpected, do not install.

Review Dimensions

Purpose & Capability: noteThe skill's name and description match its behavior: the script wraps the Linear GraphQL API and performs issue/project/team operations. Requested env var (LINEAR_API_KEY) is expected. Minor inconsistency: the registry metadata lists no required binaries, but the script requires curl and jq (and the SKILL.md examples reference gh for PR creation). Confirm curl/jq are available or update metadata.
Instruction Scope: noteSKILL.md instructs the agent to run the included bash script which performs only GraphQL requests to api.linear.app and local caching of team data in /tmp. The instructions do not request unrelated system files or external endpoints. Note: the skill listing in this evaluation shows the script output truncated — review the full scripts/linear.sh file before trusting it to ensure there is no unexpected code beyond the displayed portion.
Install Mechanism: okNo install spec (instruction-only with an included script). Nothing is downloaded from third-party URLs or written during an install step. Risk is limited to the content of the provided script which will run when invoked.
Credentials: noteOnly LINEAR_API_KEY is required by the skill (optional LINEAR_DEFAULT_TEAM and LINEAR_TEAMS_CACHE are referenced). That is proportionate to the described functionality. The script derives a cache filename from a checksum of the API key and stores cached team data under /tmp; this is local storage and not an exfiltration channel, but it does create files named from a checksum of your key. Ensure you only provide a key with minimal necessary scopes.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated or persistent platform privileges. It writes a teams cache to /tmp (scoped to the API key checksum) but does not modify other skills or system configs.