by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's instructions match a Linear GraphQL integration (using uxc) but the packaged metadata and files are inconsistent: required env vars and CLI deps are referenced in SKILL.md and scripts but not declared, which could lead to misconfiguration or unexpected behavior.
评估建议
This skill appears to implement exactly what it claims (control Linear via the Linear GraphQL API using the 'uxc' CLI), but there are inconsistencies you should address before installing:
- Ensure you have the 'uxc' CLI installed and network access to https://api.linear.app/graphql. The SKILL.md expects these even though the package metadata lists no binaries.
- The docs show using an environment variable LINEAR_API_KEY (or literal secret). Prefer storing secrets in uxc's credential store or en...详细分析 ▾
ℹ 用途与能力
Name/description match the implementation: the SKILL.md instructs use of uxc against api.linear.app and supports API key or OAuth—exactly what a Linear GraphQL skill would need. However the package metadata declares no required environment variables or binaries even though the runtime guidance expects the uxc CLI (and environment variable LINEAR_API_KEY as an option). That mismatch is inconsistent.
ℹ 指令范围
Instructions are narrowly scoped to using the uxc CLI to discover, inspect, and run GraphQL operations against api.linear.app; they do not request unrelated system files or external endpoints. They do instruct use of an environment variable (LINEAR_API_KEY) and provide commands that accept literal secrets (not recommended). The SKILL.md also expects the agent/user to create bindings and run an OAuth local callback flow—these are normal but require interactive/privileged steps from the user.
✓ 安装机制
No install spec is present (instruction-only), so nothing will be downloaded or written by the skill at install time. The included scripts (scripts/validate.sh) are local validation helpers and do not fetch remote code. This is low install risk.
ℹ 凭证需求
The only sensitive credentials the skill needs are Linear API key or OAuth tokens, which are proportionate to its purpose. However the skill package metadata does not declare any required env vars or a primary credential while the runtime docs explicitly reference LINEAR_API_KEY and credential setup, and the validation script requires the 'rg' binary. The omission increases the chance of misconfiguration or accidental exposure (e.g., pasting literal secrets into command lines).
✓ 持久化与权限
The skill is not always-enabled and does not request elevated platform privileges. It does not attempt to modify other skills or system-wide configuration beyond creating uxc bindings/links for its own endpoint, which is expected for this type of integration.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/7
Initial release of Linear GraphQL Skill - Provides CLI-based access to Linear workspace issues, projects, and teams via the Linear GraphQL API using UXC. - Supports both Personal API Key and OAuth authentication, with detailed setup instructions for each. - Includes examples for querying and managing issues, projects, and teams. - Offers troubleshooting guidance for common authentication and command-line issues. - Emphasizes guardrails for safe automation and best practices in API interaction.
● 无害
安装命令
点击复制官方npx clawhub@latest install linear-graphql-skill
镜像加速npx clawhub@latest install linear-graphql-skill --registry https://cn.longxiaskill.com