Native Monday
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: native-monday Version: 0.1.0 The skill is designed to interact with the Monday.com GraphQL API, as described in `SKILL.md`. The `scripts/monday.py` script uses standard Python libraries (`urllib.request`, `argparse`) to make authenticated requests to `api.monday.com`. User inputs like `board_id` and `limit` are passed as GraphQL variables, preventing injection vulnerabilities. There is no evidence of data exfiltration to unauthorized endpoints, persistence mechanisms, obfuscation, or prompt injection attempts against the AI agent. The code's behavior is entirely aligned with its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing and using the skill should understand that it can read Monday.com data available to the supplied token, including boards, items, workspaces, and user details.
The skill requires a personal Monday.com API token, which grants delegated access to the user's Monday.com account data. This is expected for the stated integration.
MONDAY_API_TOKEN=your_token_here
Use a token from the intended Monday.com account, limit its access where Monday.com supports scoping, and avoid sharing command output that contains private board or user information.
The agent may retrieve and display internal Monday.com information when asked to query boards, users, or items.
The script exposes read commands that can list account users and their emails, along with boards and items. These queries are purpose-aligned and read-only, but they can reveal sensitive workspace information.
users(limit: $limit) { id name email enabled }Review prompts before using the skill and avoid requesting broad listings unless you are comfortable exposing that Monday.com information in the agent conversation.