Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Monday.com Accountability
v0.1.0Manage accountability items on the configured Monday.com board. Use when creating new accountability items, checking on existing ones, running work sessions,...
⭐ 0· 66·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, GraphQL snippets and helper script are coherent with a Monday.com accountability agent. However SKILL.md refers to plugin-config keys (e.g., mondayApiToken, boardId) while the included script expects environment variables (MONDAY_API_TOKEN, MONDAY_BOARD_ID) or ~/.openclaw/.env — a mismatch between documented config and actual runtime requirements.
Instruction Scope
Runtime instructions direct hourly 'real work sessions' that include reading all active items/sub-items, creating sub-items, writing updates, updating statuses, and orchestrating sub-agents or people. That orchestration gives the agent broad discretion (spawning coding agents, messaging people) and SKILL.md and script disagree about how credentials are supplied. The instructions also reference reading/assessing code bases ('Read ALL of it') which could expand the agent's access beyond Monday.com data.
Install Mechanism
There is no install spec (instruction-only) which lowers risk. The shipped bash helper uses curl and jq but the skill declares no required binaries; missing declared dependency on jq (and implicitly curl) is a manifest inconsistency that can cause runtime failures.
Credentials
The skill metadata lists no required environment variables, yet the script requires MONDAY_API_TOKEN and MONDAY_BOARD_ID and will fall back to reading ~/.openclaw/.env for MONDAY_API_TOKEN. Requesting the user's Monday API token is expected for functionality, but failing to declare these env vars (and reading a user-local .env file) is an under-specification and increases risk/opacity.
Persistence & Privilege
always:false and no install spec means the skill does not demand permanent forced presence. It does instruct recurring hourly runs (a cron) but does not itself request elevated platform privileges or modifications to other skills' configs.
What to consider before installing
Key points to verify before installing:
- Configuration mismatch: The SKILL.md names plugin config keys (mondayApiToken, boardId) but the helper script expects MONDAY_API_TOKEN and MONDAY_BOARD_ID environment variables or a token in ~/.openclaw/.env. Ask the author which is correct and update the manifest accordingly.
- Credentials: The script needs your Monday.com API token and board ID. Only provide a token with the minimum necessary scope (prefer board-scoped or limited permissions) and avoid supplying a full-admin token.
- Local .env access: The script will try to grep ~/.openclaw/.env for MONDAY_API_TOKEN — confirm you’re comfortable with the skill reading that file and that the file does not contain other sensitive tokens.
- Binaries: The script uses curl and jq but the skill doesn't declare required binaries. Ensure jq is available in the runtime environment or request the author to declare it in the manifest.
- Broad agent actions: The SKILL.md allows spawning sub-agents, performing code-related work, and messaging people. Confirm limits on who may be messaged and whether spawning other agents is allowed in your deployment. Consider running in a sandboxed/test board first.
- Test safely: Try the skill with a test token and test board, monitor the API calls, and review any automated updates the agent writes. If you need higher assurance, ask the author to: (1) fix config/env mismatch, (2) declare required binaries, and (3) document exact permissions and messaging endpoints.Like a lobster shell, security has layers — review code before you run it.
latestvk97cypwepensq4hdb1yf8vwgvs83v2pp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.