ClawHub

Monday Direct

v1.0.7

Interact directly with the monday.com GraphQL API — no third-party gateway required. Read and create boards, items, columns, updates, and users. Use when ask...

1· 78·0 current·0 all-time
byJonah@jonah-saltzman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: the code and docs implement a CLI wrapper around the monday.com GraphQL API and only request MONDAY_API_TOKEN plus optional endpoint overrides relevant to monday platform apps.
Instruction Scope
SKILL.md instructs the agent to run the included Node script and to provide the MONDAY_API_TOKEN. It does not instruct reading unrelated files, scanning the host, or transmitting data to third-party endpoints other than optionally overriding the monday API endpoint. The references are documentation only.
Install Mechanism
There is no automated install spec in the registry; SKILL.md asks the user to run npm install in ~/.agents/skills/monday/scripts. That will fetch @mondaydotcomorg/api from the public npm registry — expected for a Node skill but introduces the usual supply-chain considerations (npm package trust, network fetch). No downloads from unknown URLs or archive extraction are present.
Credentials
Requires only MONDAY_API_TOKEN (primary credential) and documents two optional env vars that are relevant to monday platform usage. No unrelated credentials or broad environment/config path access are requested.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It suggests storing the API key in openclaw.json if desired, which is a reasonable convenience option and common for skills; the skill does not request or modify other skills' configs or system-wide settings.
Assessment
This skill appears to do exactly what it says: a lightweight Node CLI that issues GraphQL requests to monday.com using MONDAY_API_TOKEN. Before installing, consider: 1) Only provide a monday token with the minimal scopes needed and rotate it regularly. 2) Run npm install in an environment you control and audit the dependency (@mondaydotcomorg/api) for the expected version. 3) If you store the token in openclaw.json or agent config, ensure that config is access-controlled and backed up securely. 4) If you want extra isolation, run the skill in a restricted container or dedicated agent instance to limit the blast radius of a compromised npm package.

Like a lobster shell, security has layers — review code before you run it.

latestvk97avaej9291rh3tc7dzncyxfn84q8gh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis
EnvMONDAY_API_TOKEN
Primary envMONDAY_API_TOKEN

Comments