Monday mcp
PassAudited by ClawScan on May 7, 2026.
Overview
This appears to be a coherent Monday.com connector, but it can change Monday.com data and stores an OAuth token locally for mcporter.
Install this only if you want the agent to access your Monday.com account. Use a limited Monday.com token if possible, confirm any write/delete/archive actions explicitly, and consider pinning the mcporter package version in controlled environments.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could change or delete Monday.com business data available to the connected account.
The skill can perform high-impact mutations in Monday.com, including delete/archive and workspace changes, but it discloses this and instructs confirmation before writes.
Write operations (`create_item`, `update_item`, `delete_item`, `create_update`, column changes, board archive/delete actions, and workspace changes) modify Monday.com data visible to the connected account. Confirm clear user intent before invoking write tools
Use a least-privileged Monday.com grant where possible and require explicit user confirmation for creates, updates, deletes, archive actions, and workspace changes.
The local mcporter vault will contain a bearer token that can access the connected Monday.com account according to that token's permissions.
The script persists the env-supplied Monday.com OAuth access token into mcporter's local credential vault so the MCP client can authenticate.
mcp_vault="${HOME}/.mcporter/credentials.json" ... tokens: {access_token: env.mcp_access, token_type: "Bearer"}Protect the local user account and mcporter credential file, use the narrowest practical Monday.com permissions, and revoke or rotate the token if access should be removed.
Future installs may receive a newer mcporter version than the one the skill author tested.
The skill's required CLI is installed from npm without a pinned version; this is disclosed and central to the skill's purpose, but version drift can affect reproducibility.
Auto-installed via `npm install -g --ignore-scripts mcporter` if missing on PATH ... The install spec uses unpinned `mcporter` (npm `latest`)
Operators with stricter supply-chain requirements should pin mcporter to a reviewed version before installation.