Monday mcp
PassAudited by VirusTotal on May 7, 2026.
Overview
Type: OpenClaw Skill Name: maverick-monday-mcp Version: 1.0.1 The skill provides a legitimate integration for Monday.com using the mcporter MCP client. The included shell scripts (init-mcporter.sh and invoke.sh) are well-documented and implement security best practices, such as using environment variables to pass secrets to jq (avoiding process list exposure) and utilizing file locking (flock) for atomic configuration updates. The skill's behavior is entirely consistent with its stated purpose of managing Monday.com boards and items via an official-looking endpoint (mcp.monday.com).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could change or delete Monday.com business data available to the connected account.
The skill can perform high-impact mutations in Monday.com, including delete/archive and workspace changes, but it discloses this and instructs confirmation before writes.
Write operations (`create_item`, `update_item`, `delete_item`, `create_update`, column changes, board archive/delete actions, and workspace changes) modify Monday.com data visible to the connected account. Confirm clear user intent before invoking write tools
Use a least-privileged Monday.com grant where possible and require explicit user confirmation for creates, updates, deletes, archive actions, and workspace changes.
The local mcporter vault will contain a bearer token that can access the connected Monday.com account according to that token's permissions.
The script persists the env-supplied Monday.com OAuth access token into mcporter's local credential vault so the MCP client can authenticate.
mcp_vault="${HOME}/.mcporter/credentials.json" ... tokens: {access_token: env.mcp_access, token_type: "Bearer"}Protect the local user account and mcporter credential file, use the narrowest practical Monday.com permissions, and revoke or rotate the token if access should be removed.
Future installs may receive a newer mcporter version than the one the skill author tested.
The skill's required CLI is installed from npm without a pinned version; this is disclosed and central to the skill's purpose, but version drift can affect reproducibility.
Auto-installed via `npm install -g --ignore-scripts mcporter` if missing on PATH ... The install spec uses unpinned `mcporter` (npm `latest`)
Operators with stricter supply-chain requirements should pin mcporter to a reviewed version before installation.