Back to skill

Security audit

Monday For Agents

Security checks across malware telemetry and agentic risk

Overview

This is a coherent monday.com integration guide with purpose-aligned API and MCP access, though users should avoid copying the plaintext token example into a saved config file.

Install only for an agent-specific monday.com account with the least permissions needed. Store MONDAY_API_TOKEN in OpenClaw environment settings or a secret manager, do not paste real tokens into checked-in JSON files, and keep TOOLS.md or saved board IDs private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The local MCP example embeds `MONDAY_API_TOKEN` directly in JSON configuration as `"your_token_here"`, which contradicts earlier guidance not to persist secrets in files. This creates a realistic risk of credential exposure through local file disclosure, backups, screenshots, or accidental commits, especially because config files are commonly long-lived and broadly readable.

Ssd 3

Medium
Confidence
99% confidence
Finding
The example hardcodes an API token in the MCP server configuration despite repeated guidance elsewhere not to persist secrets. This inconsistency is dangerous because users often copy-paste examples verbatim, leading to credential storage in plaintext files and subsequent token compromise.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.