Nova Accountability

Security checks across malware telemetry and agentic risk

Overview

This skill needs review because it can run scheduled work sessions that change Monday.com data, delegate work, alter systems, and message people without tight approval limits.

Install only if you want a recurring accountability agent, not just a Monday.com status helper. Use a dedicated least-privilege Monday token, restrict the board and recipients, disable or tightly control the hourly cron until approvals are in place, and require review before code/config changes, status changes to Done, sub-agent delegation, or outbound messages.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (12)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill prescribes shell usage via the helper script and operational steps, but does not declare corresponding permissions or capabilities. This creates a transparency and governance gap: a user or platform may believe the skill is limited to board management while it can invoke local shell commands and access local files such as ~/.openclaw/.env.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The manifest says this skill manages accountability items on Monday.com, but the documented behavior extends into local token discovery, real work execution, and orchestration beyond simple board management. That mismatch is dangerous because users may authorize or invoke the skill under false assumptions, enabling broader actions and data access than its description suggests.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The README explicitly expands the skill from board management into autonomous execution of external actions such as writing code, changing configuration, delegating to sub-agents, and messaging people. That materially increases the skill's authority and blast radius beyond its stated purpose, creating a dangerous scope mismatch that could lead operators to grant access or schedule automation without understanding it may perform real-world side effects.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The README promises a policy constraint that owner-assigned tasks will not be marked Done by the agent, yet the documented helper exposes an unrestricted status-changing command. If the implementation follows this interface without enforcement, an automated agent or operator could bypass the ownership rule and silently alter task state, undermining workflow integrity and accountability controls.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The workflow escalates from managing board items to performing arbitrary operational work, making decisions, modifying systems, and contacting others. This is a scope-expansion vulnerability because a board-management skill becomes a general autonomous actor, increasing the chance of unauthorized actions, unintended changes, and exfiltration of task context to external parties or systems.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill authorizes messaging arbitrary people to unblock work, which can disclose project details, blockers, and internal context to unintended recipients. In the context of a board-management skill, unsolicited outreach is especially risky because it crosses trust boundaries and can leak sensitive information or trigger real-world actions without explicit approval.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The instruction to spawn sub-agents or coding agents materially expands the skill's execution surface beyond Monday.com management. Passing task context, constraints, and details into other agents can propagate sensitive information and cause unreviewed downstream actions that the original skill did not clearly disclose.

Context-Inappropriate Capability

Low

Confidence: 85% confidence
Finding: The script automatically reads a Monday API token from ~/.openclaw/.env if the environment variable is unset. While this is likely a convenience feature, it expands the credential access surface beyond explicit runtime input and can cause the skill to use a locally stored secret without clear operator intent.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README describes autonomous code changes, config modifications, and outbound messaging as routine behavior, but provides no explicit warning that these are impactful side effects requiring user awareness and consent. In the context of an hourly scheduled agent, this omission is dangerous because users may deploy it as a board-management tool while it is actually authorized to change systems and contact people automatically.

Missing User Warnings

Low

Confidence: 78% confidence
Finding: The README instructs users to provision a Monday API token with read/write access and operate on board data, but does not warn about credential sensitivity, secret storage, or the privacy implications of exposing board contents to an automated agent. This is a real but lower-severity issue because it can lead to overshared credentials or unintended disclosure of operational data, though the README does at least suggest using environment variables rather than hardcoding tokens.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The invocation guidance includes broad phrases like 'you're accountable for X' and general status questions, which can trigger the skill in ordinary conversation without clear user intent. Because the skill can do more than passive tracking, accidental invocation may initiate board changes, work execution, or outreach unexpectedly.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs direct contact with people without prominently warning the user that invocation may cause outreach. Hidden outreach behavior is dangerous because users may not realize a routine accountability request could result in messages being sent to coworkers or third parties, potentially exposing sensitive details and causing reputational or operational harm.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal