by 安全扫描
OpenClaw
可疑
high confidenceThe skill's instructions clearly expect local Linear credentials and a workspace (config/mcporter.json and /Users/claw/.openclaw/workspace) and run arbitrary remote code via npx, but the skill declares no required credentials, config paths, or install steps — this mismatch is concerning.
评估建议
Do not install/run this skill without clarifying how it will access Linear credentials and where it will execute. Specific checks to request or perform before using: 1) Ask the skill author to declare required config paths or env vars (e.g., LINEAR_API_KEY or path to mcporter.json). 2) Inspect the referenced config/mcporter.json and confirm it does not expose sensitive tokens you don't want the agent to read. 3) Avoid running unpinned 'npx -y mcporter' — ask for a pinned package version or a vet...详细分析 ▾
⚠ 用途与能力
The skill claims to triage Linear issues, which legitimately requires access to Linear credentials/config. However the manifest declares no required env vars, primary credential, or config paths, while the SKILL.md directly references config/mcporter.json and an absolute workspace path. The declared requirements do not match what the instructions actually need.
⚠ 指令范围
Runtime instructions tell the agent to exec commands from an absolute local path (/Users/claw/.openclaw/workspace) and to read/use config/mcporter.json. They also include mutation commands that write to Linear. The SKILL.md therefore instructs filesystem access and potential credential use that are not declared or constrained — this broad scope is a red flag.
⚠ 安装机制
There is no install spec, but the instructions rely on running 'npx -y mcporter' at runtime. Using npx to fetch and run a package each invocation can execute arbitrary remote code and has no integrity/pinning in the skill. That risk should be acknowledged and mitigated (pin version, vet package source).
⚠ 凭证需求
The skill declares no environment variables or primary credential, yet it depends on a local mcporter configuration file that almost certainly contains API tokens or endpoints for Linear. The required access to secrets/config is implicit and not declared, which is disproportionate and hides what the agent will need to access.
ℹ 持久化与权限
The skill does not request 'always: true' and is user-invocable (defaults apply). Autonomous invocation is allowed by platform default; combined with the above missing declarations (local config access + remote npx execution) this increases blast radius. The skill does not request persistent installation, which is appropriate.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/17
Initial release of linear-feedback-triage skill. - Enables querying, triaging, labeling, and replying to user-feedback issues from Linear, focused on the FB team workflow. - Provides command templates for listing issues, querying details, and managing statuses/labels/assignees. - Includes clear guidance for categorizing feedback, deduplicating issues, and handling membership/payment complaints. - Supports drafting user replies with recommended formats and tones per issue type. - Ensures data mutation (writes) are performed only upon clear user request or explicit workflow triggers. - Outlines concise and actionable output formats for status reporting and grouping requests.
● 无害
安装命令
点击复制官方npx clawhub@latest install linear-feedback-triage
镜像加速npx clawhub@latest install linear-feedback-triage --registry https://cn.longxiaskill.com