Is avegancafe/linear-todos safe?

This skill is explicitly declared as a source-execution skill. The agent executes Python code from src/linear_todos/ for every CLI command. While the audited code is legitimate and confined to api.linear.app, this creates a persistent code execution channel running with full user permissions. Any code update to the skill files immediately takes effect without requiring SKILL.md changes.

config.py implements _find_openclaw_user_timezone() which walks up to 5 parent directory levels from the skill's installation path, searching for and reading USER.md files. The function extracts timezone strings via regex. While only timezone is extracted in the current implementation, this establishes an automatic cross-boundary file-read behavior that executes on every config load, and USER.md files may contain sensitive workspace configuration.

The skill bundle includes .clawhub/lock.json containing a reference to 'academic-research-hub' v0.1.0 with an installedAt timestamp of approximately February 2026. This is almost certainly a developer's workspace lock file accidentally committed with the skill. If the OpenClaw runtime processes this file during installation, it could register or attempt to install academic-research-hub without user consent, constituting an unauthorized dependency injection.

The setup wizard stores the user's Linear API key in plaintext JSON at ~/.config/linear-todos/config.json. Although 0o600 permissions are set and the behavior is documented, a persistent plaintext credential file is a higher-risk storage pattern than environment variables or the system keychain. Any process or script running as the user can read this file.

SKILL.md instructs the agent: 'Present the output exactly as formatted - don't reformat or summarize.' This prevents the agent from applying judgment to sanitize or contextualize raw CLI output before presenting to the user, potentially allowing unexpected content (e.g., from issue titles fetched from Linear) to reach the user unfiltered.

setup_wizard.py sets the LINEAR_API_KEY environment variable via os.environ during the setup session to test the provided key. While transient and documented, environment variables are readable by all child processes and may be inspectable by other processes on some systems during the setup window.

The skill depends on dateparser (complex NLP date parsing library), requests (HTTP client), and click (CLI framework). dateparser in particular is a substantial library with regex, locale, and parsing subsystems. These are not audited as part of this review and represent a supply-chain attack surface if any dependency package is compromised.

The skill openly documents its cross-boundary file read behavior in SKILL.md: 'Falls back to OpenClaw USER.md timezone if available.' This is honest disclosure, but means the automatic parent-directory traversal in config.py executes on every config initialization, not just on explicit user request.

The connection diff after installation shows openclaw-gateway (pid=1092) with new ESTABLISHED connections to 104.16.4.34:443 (Cloudflare CDN) and 54.211.197.216:443 (AWS EC2, likely OpenClaw backend), plus two new TCP listeners at 127.0.0.1:18790 and 18793. These are attributed to the OpenClaw runtime platform rather than the skill. No Python from the skill was executed during monitoring.

auditd PATH records show the canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened at timestamps 1771952601 (pre-clone setup), 1771952610, 1771952617, and 1771952620 (post-install). The periodic pattern and canary integrity report both confirm these reads are from the monitoring infrastructure itself. All canary file contents remain unmodified.

Unlike instruction-only skills, future updates to this skill's Python files (api.py, config.py, cli.py) take immediate effect on the next invocation without any SKILL.md change being visible. Users should periodically audit src/linear_todos/api.py (the sole HTTP request origin) after skill updates.

The parent-directory traversal in config.py currently targets USER.md for timezone extraction. This same pattern could be extended in a future skill update to also read CLAUDE.md, .env, or project configuration files using identical traversal logic, with no change visible at the SKILL.md level.

The Linear API key stored at ~/.config/linear-todos/config.json persists indefinitely after first setup. If the user's account is later compromised, this provides a ready-made Linear workspace access token without requiring the attacker to intercept an active session. The skill recommends using environment variables to avoid this, but the setup wizard creates the file by default.

cron-jobs.txt is shipped with the skill and provides ready-made crontab entries for daily digest invocations. The skill explicitly states these are not auto-installed and require manual crontab editing. However, its presence lowers friction for users to establish persistent scheduled code execution and could be used in social engineering.