Back to skill

Security audit

Monday.com

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Monday.com integration that can read and change Monday.com data through Maton when the user provides an API key.

Install only if you trust Maton with OAuth-backed Monday.com access. Keep MATON_API_KEY private, verify the intended connection when multiple Monday.com accounts are linked, and approve create, update, or delete operations only after checking the exact target and effect.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Low
Confidence
86% confidence
Finding
The skill states access is scoped to boards, items, columns, groups, and workspaces, but it also documents querying user records including email addresses. That mismatch understates the actual data-access surface and can mislead users or downstream agents about what personal data may be retrieved.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The document claims that all write operations require explicit user approval, but the skill only provides direct mutation and delete examples with no technical enforcement, workflow gate, or confirmation mechanism. An agent consuming this skill could execute destructive actions based solely on prompt context, leading to unauthorized board, item, or data modifications.

Vague Triggers

Medium
Confidence
71% confidence
Finding
The activation guidance is broad enough to match many generic project-management requests, which increases the chance that an agent invokes this networked, write-capable skill when the user did not intend Monday.com access. Over-broad routing expands the opportunity for unnecessary external data disclosure or unintended account changes.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.