ClawHub

Monday.com Accountability

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it gives an agent broad recurring authority to do work, change Monday.com data, contact people, and delegate tasks without tight controls.

Install only if you intentionally want scheduled autonomous accountability work, not just Monday.com board updates. Use a least-privileged Monday token, restrict it to the intended board, avoid storing secrets in item details, and require human approval before outreach, config changes, status transitions to Done, or spawning sub-agents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The manifest says this skill manages accountability items on a Monday.com board, but the workflow expands into performing arbitrary 'real work,' including code work, config changes, research, outreach, and project reassessment. That scope expansion is dangerous because it can cause the agent to take autonomous actions far beyond board administration under the guise of routine cron execution.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to message people and contact the owner, even though its declared purpose is Monday.com accountability-board management. This adds an external communication capability that can expose task details, create unauthorized outreach, and cause privacy or reputational harm without clear consent boundaries.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill directs the agent to spawn sub-agents and coding agents, which materially extends its power from board tracking into orchestration of other autonomous actors. That creates a risk of uncontrolled task execution, privilege spread, and loss of oversight, especially when triggered by a recurring cron workflow.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script silently falls back to reading a Monday API token from ~/.openclaw/.env, which expands its access beyond explicit runtime inputs and creates credential-discovery behavior. In an agent skill context, this is risky because the skill can operate with locally stored secrets without the caller intentionally supplying credentials for this invocation.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The activation text is broad and includes common phrases such as creating items, checking status, running work sessions, cron firing, or asking about status. Over-broad invocation criteria increase the risk that the skill activates in ordinary conversation or unrelated contexts, which is especially dangerous given the skill's ability to update boards, orchestrate work, and contact others.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs messaging people and the owner but provides no explicit user-facing disclosure that it may initiate outreach or share accountability-item context externally. This is dangerous because users may assume the skill only manages a board, while it can actually transmit information to humans outside the system.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill requires including the full Details/Doc text in every sub-agent prompt, even though that text may contain sensitive instructions, history, constraints, or personal/project data. Broadly forwarding full context to downstream agents violates data minimization and increases the blast radius of sensitive information exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal