Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Linear Autopilot
v1.0.2Automate Linear task processing with Discord notifications and git sync. Use when setting up a kanban-to-agent workflow where Linear tasks trigger Clawdbot a...
⭐ 0· 1.8k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to automate Linear tasks with Discord notifications and git sync, which matches the provided scripts and guides. However, the registry metadata declares no required environment variables or binaries, while the SKILL.md and scripts require a LINEAR_API_KEY, and expect tools such as curl, jq and git. This mismatch is incoherent: a Linear integration legitimately needs an API key and network tools, so those should be declared.
Instruction Scope
The SKILL.md instructs creating ~/.clawdbot/linear.env and ~/.clawdbot/linear-config.json and to place API keys and Discord/Clawdbot tokens into automation services. It also tells the agent to 'spawn sub-agent if complex' and to run git commit/push. Those steps go beyond merely translating events and include file writes, network calls, and autonomous sub-agent spawning — all of which widen the operational scope and require explicit declaration and user attention.
Install Mechanism
There is no install spec (instruction-only), which is lower risk. The repo includes a shell script that will be run by the user. No remote downloads or extraction are present. Still, the script depends on curl, jq and git being available and will read/write files in the user's home directory; these runtime expectations should be documented in metadata.
Credentials
The registry lists no required env vars, but SKILL.md and scripts require LINEAR_API_KEY and the guides instruct using Clawdbot/Discord bot tokens in automation platforms. Those credentials are necessary for the functionality, so omitting them from declared requirements is an inconsistency. The skill asks users to store secrets in a plaintext file (~/.clawdbot/linear.env) without recommending permissions or limited-scope keys.
Persistence & Privilege
The skill is not always: true and does not request elevated platform privileges. It writes/reads its own config under ~/.clawdbot and references clawdbot.json (Clawdbot config), which is reasonable for this integration, but users should be aware the skill will create files in their home directory.
What to consider before installing
This skill appears to implement the advertised Linear → Discord → git workflow, but there are important mismatches and privacy considerations you should address before installing:
- Metadata vs instructions: The registry declares no required env vars or binaries, but SKILL.md and scripts require a LINEAR_API_KEY and expect curl, jq, and git. Treat the script as requiring these tools and the API key even though the registry omits them.
- Secrets handling: The instructions ask you to store your Linear API key in ~/.clawdbot/linear.env and to use Discord/Clawdbot tokens in automation services. Use a limited-scope Linear key if available, set file permissions (chmod 600 ~/.clawdbot/linear.env), and avoid pasting credentials into third-party paste sites. Consider creating service-specific or short-lived tokens.
- Review the script before running: scripts/linear-api.sh performs GraphQL calls using your API key, parses JSON with jq, and can run git commit/push as part of the workflow. Inspect it locally and run it manually in a controlled environment first. Ensure you have jq/curl/git installed and understand how git push will authenticate (SSH key or credential helper).
- External services and bot tokens: The guides recommend Make.com, Pipedream, or Zapier and instruct you to attach your Clawdbot Discord bot token to workflows. Grant the Discord bot the minimum permissions it needs and prefer webhooks where possible to avoid exposing bot tokens widely.
- Autonomous scope: The SKILL.md mentions spawning sub-agents and automatically processing tasks. If you will allow autonomous agent invocation, be explicit about limits and where outputs are written (research/, content/, etc.). If you prefer manual control, run the workflow in a test environment first.
If you want to proceed: (1) inspect the scripts and SKILL.md thoroughly, (2) create limited-scope API tokens, (3) set strict file permissions for stored secrets, (4) test in an isolated repo and Discord server, and (5) ensure your automation platform (Make/Pipedream/Zapier) does not expose tokens in logs you can't control.Like a lobster shell, security has layers — review code before you run it.
latestvk97e0tep4qhxf854jpd9mfff2n8155qv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.