Safety Report

Linear

Name: Linear
Rating: 5 (15 reviews)
Author: ManuelHettich

@ManuelHettich

Query and manage Linear issues, projects, and team workflows.

7,498Downloads

71Installs

15Stars

1Versions

Workflow Automation3,323 Project Management1,537 Database Management1,222

Security Analysis

high confidence

Clean0.08 risk

The skill's code and instructions align with its stated purpose (a Linear API CLI); it only requires a Linear API key and talks to api.linear.app, but there are a few minor metadata/operational notes to review before installing.

Feb 11, 20262 files2 concerns

Purpose & Capabilitynote

The skill is a CLI wrapper around Linear's GraphQL API and legitimately needs LINEAR_API_KEY. However, the included bash script requires curl, jq, and cksum at runtime (and the SKILL.md mentions curl/jq), while the registry metadata lists no required binaries — that's a metadata mismatch that could confuse installers.

Instruction Scopeok

Runtime instructions and the script confine activity to the Linear GraphQL endpoint (https://api.linear.app/graphql) and local caching. The script does not attempt to read arbitrary user files, send data to unexpected third-party endpoints, or perform obfuscated actions. It does create a cache file in /tmp by default (derived from a checksum of your API key).

Install Mechanismok

No install spec (instruction-only plus an included bash script). Nothing is downloaded from external URLs and no archives are extracted. Risk from installation is low — but the script assumes curl and jq are available on the system.

Credentialsnote

The only required environment variable declared in the registry is LINEAR_API_KEY, which is appropriate. The SKILL.md and script also reference optional vars (LINEAR_DEFAULT_TEAM and LINEAR_TEAMS_CACHE) that are not listed in the registry metadata; this is not a security problem but is a documentation gap. The script derives a cache filename from the API key (cksum) and writes cached team data to /tmp by default, which could leave a recoverable artifact tied to your key.

Persistence & Privilegeok

The skill is not always: true and does not attempt to modify other skills or system-wide settings. It writes only its own cache file and has no elevated privileges.

Guidance

This skill appears to do what it says: it calls Linear's GraphQL API and requires your LINEAR_API_KEY. Before installing: 1) Inspect the included scripts (scripts/linear.sh) yourself — they use curl and jq, so ensure those binaries are present. 2) Be aware the script caches team info in /tmp by default using a filename derived from a checksum of your API key; if that is a concern set LINEAR_TEAMS_CACHE to a safer path or clear the cache after use. 3) Only provide an API key with the minimum necessary permissions and rotate it if you suspect misuse. 4) Note the registry metadata omits required binaries and optional env vars (LINEAR_DEFAULT_TEAM, LINEAR_TEAMS_CACHE); this is a documentation mismatch, not an indicator of malicious behavior.

Latest Release

v1.0.0

Init

More by @ManuelHettich

Youtube → Pocket Casts

0 stars

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Published by @ManuelHettich on ClawHub