ClawHub

Linearis

ReviewAudited by ClawScan on May 1, 2026.

Overview

Linearis is a coherent Linear.app CLI skill, with disclosed account access and data-changing commands that users should use deliberately.

Install only if you want an agent to use a Linear CLI. Verify the npm package first, use a dedicated Linear API token if possible, and explicitly approve create, update, upload/download, or delete operations before letting the agent run them.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium
#ASI02: Tool Misuse and Exploitation
What this means

If used incorrectly, the agent could change issue status, edit issue metadata, create comments/documents, or delete Linear documents.

Why it was flagged

These documented commands can create, update, and delete Linear workspace content. This is aligned with the skill's purpose, but it can affect business data.

Skill content
linearis issues create --title "Fix bug" --team WHO --priority 2
linearis issues update ABC-123 --status "Done"
linearis documents delete <doc-id>
Recommendation

Give explicit instructions before write or delete actions, review identifiers and arguments, and prefer read-only commands when only investigating.

Medium
#ASI03: Identity and Privilege Abuse
What this means

The CLI can access or modify Linear data according to the permissions of the provided API token.

Why it was flagged

The skill requires a Linear personal API token so the CLI can act with the permissions granted to that token. This is expected for the integration, but the registry metadata lists no primary credential.

Skill content
Auth (one of):
- `echo "lin_api_..." > ~/.linear_api_token` (recommended)
- `export LINEAR_API_TOKEN="lin_api_..."`
- `--api-token <token>` flag
Recommendation

Use a token intended for this purpose, keep it private, remove it when no longer needed, and revoke it from Linear if it may have been exposed.

Low
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

Installing the package gives local execution capability to code distributed through npm under the `linearis` package name.

Why it was flagged

The skill relies on installing an external global npm package. That is normal for a CLI wrapper, but the artifact set does not include the package code or a pinned version.

Skill content
npm install -g linearis
Recommendation

Verify the npm package, maintainer, and version before installing, and consider pinning a known-good version in controlled environments.