linear-cli Security Report — Trusted | ClawSafe

5 /100

linear-cli

Use the linear-cli agent-native runtime to read and mutate Linear from Claude Code, Codex, or other agents

This is a legitimate Linear CLI wrapper skill with no malicious behavior. All capabilities are clearly documented and the script is a documentation generator for the CLI tool.

Skill Namelinear-cli

Duration32.1s

Enginepi

✓

Safe to install

No action needed. The skill is safe to use as documented.

Findings 1 items

Severity	Finding	Location
Low	Implicit filesystem read capability Doc Mismatch The skill uses --description-file and --body-file flags but filesystem:READ is not explicitly declared in allowed-tools. This is a minor gap as it's CLI tool behavior, not custom code. --description-file for `issue create` and `issue update` → Consider adding Read to declared allowed-tools if filesystem access is expected to be used directly by agents	`SKILL.md:50`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md declares Bash(linear:) and Bash(curl:) for executing the Linear CLI a…
Filesystem	`NONE`	`READ`	✓ Aligned	SKILL.md shows --description-file and --body-file flags for reading local files,…
Network	`READ`	`READ`	✓ Aligned	SKILL.md documents https://api.linear.app/graphql as the Linear API endpoint

1 findings

🔗

Medium External URL 外部 URL

https://api.linear.app/graphql

SKILL.md:207

File Tree

27 files · 150.1 KB · 4120 lines

Markdown 26f · 3765L TypeScript 1f · 355L

├─ ▾ 📁 references

│ ├─ 📝 api.md Markdown 24L · 1.0 KB

│ ├─ 📝 auth.md Markdown 165L · 4.8 KB

│ ├─ 📝 capabilities.md Markdown 30L · 1.3 KB

│ ├─ 📝 commands.md Markdown 53L · 2.2 KB

│ ├─ 📝 commands.template.md Markdown 33L · 1018 B

│ ├─ 📝 config.md Markdown 20L · 569 B

│ ├─ 📝 cycle.md Markdown 199L · 6.7 KB

│ ├─ 📝 document.md Markdown 157L · 6.2 KB

│ ├─ 📝 initiative-update.md Markdown 73L · 2.5 KB

│ ├─ 📝 initiative.md Markdown 249L · 9.9 KB

│ ├─ 📝 issue.md Markdown 870L · 37.9 KB

│ ├─ 📝 label.md Markdown 98L · 3.2 KB

│ ├─ 📝 milestone.md Markdown 163L · 6.2 KB

│ ├─ 📝 notification.md Markdown 116L · 3.8 KB

│ ├─ 📝 organization-features.md Markdown 85L · 1.9 KB

│ ├─ 📝 project-label.md Markdown 51L · 1.5 KB

│ ├─ 📝 project-update.md Markdown 73L · 2.4 KB

│ ├─ 📝 project.md Markdown 247L · 9.4 KB

│ ├─ 📝 resolve.md Markdown 155L · 5.3 KB

│ ├─ 📝 schema.md Markdown 21L · 631 B

│ ├─ 📝 team.md Markdown 182L · 5.9 KB

│ ├─ 📝 user.md Markdown 75L · 2.1 KB

│ ├─ 📝 webhook.md Markdown 172L · 6.9 KB

│ └─ 📝 workflow-state.md Markdown 74L · 2.0 KB

├─ ▾ 📁 scripts

│ └─ 📜 generate-docs.ts TypeScript 355L · 10.1 KB

├─ 📝 SKILL.md Markdown 211L · 8.6 KB

└─ 📝 SKILL.template.md Markdown 169L · 6.0 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`linear-cli`	`unspecified`	external CLI	No	External dependency - skill is a wrapper, actual CLI must be installed separately

Security Positives

✓ No credential harvesting or exfiltration - linear auth token is documented as a user-facing command

✓ No base64 or obfuscated code execution

✓ No remote script download or pipe-to-bash patterns

✓ Network requests only to known Linear API endpoint (api.linear.app)

✓ All shell commands go through the linear CLI tool, not arbitrary subprocess execution

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files

✓ Well-documented skill with comprehensive reference documentation

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives