Is cipher-shad0w/openclaw-linear safe?

https://github.com/openclaw/skills/tree/main/skills/cipher-shad0w/openclaw-linear

90
SAFE

This skill is a documentation-only wrapper for the open-source schpet/linear-cli tool, containing no executable code, no prompt injection, no install hooks, and no canary file compromise. The installation was clean with network activity limited to the expected GitHub clone. The primary risk vectors are inherent to the tool's design rather than malicious authorship: the --variable @file= GraphQL feature and --content-file document upload can read and transmit local files to api.linear.app if an agent is manipulated by prompt injection from another source, and the linear auth token command exposes credentials in plaintext.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (6)

MEDIUM GraphQL --variable @file reads local files into API requests -12

The api.md reference documents '--variable <key=value>' with the note '@file reads from path'. This means an agent can be instructed to pass a local file path (e.g., @file=~/.ssh/id_rsa) as a GraphQL variable, causing its contents to be transmitted to api.linear.app. While the SKILL.md itself does not issue such an instruction, the capability is exposed and documented, making it exploitable via prompt injection from another source.

MEDIUM Document upload command can exfiltrate arbitrary local files to Linear -8

The 'linear document create --content-file ' command reads a local file and uploads it as a Linear document. An agent following this skill and operating on attacker-controlled input (e.g., a user-provided file path from a malicious issue description) could be tricked into uploading sensitive files to the Linear workspace.

LOW linear auth token prints stored API credential to stdout -5

The 'linear auth token' subcommand prints the stored Linear API key in plaintext. This is documented as intended for use in curl scripts. If the agent runs this in a logged shell session, or if stdout is captured by another process, the credential is exposed. The SKILL.md curl example embeds this in a subshell which is standard but creates a brief credential exposure window.

LOW Full GraphQL mutation access can cause irreversible workspace changes -8

The 'linear api' command exposes arbitrary GraphQL mutations against the authenticated user's Linear workspace. Commands like issue delete, team delete (with --move-issues), and document delete --permanent are documented and could cause irreversible data loss if an agent misinterprets user intent or is manipulated via prompt injection.

INFO Installation performs standard shallow git clone from github.com 0

The install process cloned the openclaw/skills monorepo from github.com using git sparse-checkout to extract only the skill subdirectory. Connection to 140.82.121.3:443 (GitHub) is expected and legitimate. No unexpected endpoints contacted.

INFO Skill is pure documentation — no executable artifacts 0

The skill directory contains only markdown files (_meta.json, SKILL.md, references/*.md). No scripts, binaries, git hooks, submodules, or install triggers were found. The skill requires the external 'linear' binary to be pre-installed but does not install it itself beyond the metadata-declared Homebrew formula.