linear-claude-skill

This SKILL.md describes a Linear management skill whose stated purpose, required credentials (LINEAR_API_KEY), network endpoints (linear.app, mcp.linear.app), and tooling (linear CLI, @linear/sdk, local TS scripts) are consistent and proportionate to managing Linear issues and projects. There are no obvious supply-chain red flags like curl|bash download-execute chains, unknown exfiltration endpoints, obfuscated code, or instructions to forward secrets to third-party domains. The main residual risk is operational: running local scripts (npx tsx) executes code with user privileges and the skill requires storing and injecting an API key into processes — both are necessary for this functionality but increase the attack surface if the local scripts or referenced packages are tampered with. Follow best practices: verify the scripts' source, pin dependencies, and avoid printing or exposing secrets. Overall I assess this skill as benign for its declared purpose but with normal operational supply-chain risks from executing local scripts and handling API keys.