by 下载技能包
最后更新
2026/3/5
安全扫描
OpenClaw
可疑
medium confidenceThe package is a legitimate-looking Linear API client that correctly requires a LINEAR_API_KEY, but there are provenance/metadata inconsistencies (and missing homepage/owner transparency) that warrant caution before installing or granting credentials.
评估建议
This skill appears to do what it says (talk to Linear's GraphQL API) and the source includes readable code you can inspect. However: (1) the registry metadata shown to you contradicts the packaged manifest and README — it says no env vars, while skill.json and SKILL.md require LINEAR_API_KEY. That inconsistency is a red flag for sloppy publishing or metadata tampering; confirm the platform will prompt for the secret and that the manifest used at install time matches the shipped skill.json. (2) T...详细分析 ▾
ℹ 用途与能力
The code and SKILL.md implement a Linear GraphQL client and operations that clearly require a Linear API key — this matches the stated purpose. However, the top-level registry metadata in the prompt claims "Required env vars: none" and "Primary credential: none", which conflicts with skill.json and SKILL.md (both require LINEAR_API_KEY). That inconsistency in published metadata is unexpected and should be resolved.
✓ 指令范围
SKILL.md and the code confine runtime behavior to the Linear GraphQL API and local parsing (e.g., git commit parsing). The instructions explicitly require LINEAR_API_KEY and describe CLI / stdin usage. The runtime code only reads OPENCLAW and LINEAR_API_KEY from the environment; it does not instruct reading arbitrary local files or sending data to other endpoints. Behavior stays within the stated scope.
✓ 安装机制
There is no install spec (no remote downloads); code is bundled in the skill and uses only built-in Node.js modules. This is low-install risk because nothing is fetched from arbitrary URLs during install. The package has zero runtime dependencies and uses Node built-ins (https/fetch).
⚠ 凭证需求
The code and skill.json require a single credential: LINEAR_API_KEY, which is appropriate for a Linear client. The concern is the mismatch with the registry-level metadata (which lists no required env) — that could cause the platform to not surface the secret prompt properly. Also note that the provided API key will be sent as an Authorization header to api.linear.app, and that key permits operations (create/update/move issues, post comments) — the user should only supply a key with the least privileges necessary.
✓ 持久化与权限
The skill is not 'always: true' and is user-invocable only. It does not request elevated platform privileges or modify other skills' configs. Autonomous invocation is allowed by default (disable-model-invocation is false) but that is platform normal and not by itself concerning here.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.22026/3/5
Version 1.0.2 - Added a new CHANGELOG.md file. - Updated SKILL.md to clarify that this is an unofficial community skill and not affiliated with or endorsed by Linear, Inc. - Minor metadata updates in package.json and skill.json.
● 无害
安装命令
点击复制官方npx clawhub@latest install linear-agent
镜像加速npx clawhub@latest install linear-agent --registry https://cn.longxiaskill.com