Monday.com
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Monday.com integration, but it uses a Maton API key/OAuth connection and can make user-approved changes to Monday.com data.
Before installing, make sure you trust Maton to proxy Monday.com API requests and keep your MATON_API_KEY secure. Approve write operations only after checking the target account, board, item, and exact change.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
63/63 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to create, update, or delete Monday.com resources when the user approves those actions.
The skill exposes broad Monday.com GraphQL operations, including management of business/workflow resources. This is aligned with the skill purpose, but mistakes or poorly reviewed requests could affect real Monday.com data.
Manage boards, items, columns, groups, users, and workspaces using GraphQL.
Confirm the exact board, item, workspace, and intended change before approving any write operation.
Anyone or any agent action with access to this key may be able to call the connected Monday.com account within the granted OAuth permissions.
The skill requires a bearer API key that authorizes access to the user's Maton-managed Monday.com connection. This credential use is expected for the integration, but it is sensitive account access.
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Store the API key securely, avoid sharing it in chats or logs, and rotate it if exposure is suspected.
Monday.com queries, responses, and authorized actions pass through Maton's API gateway.
Requests and Monday.com OAuth-backed access are mediated by the third-party Maton service. This is clearly disclosed and central to the skill design, but users must trust that proxy with their Monday.com API traffic.
Maton proxies requests to `api.monday.com` and automatically injects your OAuth token.
Use this skill only if you trust Maton for managed OAuth, and disconnect unused Monday.com connections.