Monday

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Monday.com API reference skill, but it can modify or delete Monday.com data through Maton-authenticated requests.

Install only if you trust Maton as the OAuth/API intermediary. Protect MATON_API_KEY, use the least-privileged Monday.com connection practical, verify board/item/connection IDs before any mutation, and require explicit approval before create, update, delete, or connection-removal actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill documents destructive operations such as deleting boards, items, and connections without any explicit warning, confirmation step, or guidance about irreversible data loss. In an agent-skill context, this increases the chance of accidental or over-broad destructive actions by users or automated agents, especially when example commands are easy to copy and run directly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal