Back to skill
Skillv1.3.0
VirusTotal security
monday.com · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:45 AM
- Hash
- 045faa92f1040e9b6d5bb09dcd907b75f7227adf65c1d0cbc6ec3c17fe1a6054
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: monday-com Version: 1.3.0 The skill bundle contains highly unusual instructions in `SKILL.md` for bypassing an 'agent-verification challenge' called 'Hatcha' using various decoding techniques (ROT13, Base64, Hex), which suggests a mechanism for unauthorized autonomous account creation. Furthermore, it directs the agent to install an MCP server from `@mondaydotcomorg/monday-api-mcp`, a package name that appears to be a typosquatted version of the official monday.com developer namespace, posing a high risk of supply chain attack via `npx` execution. While no direct data exfiltration is observed, the combination of security bypass instructions and suspicious package dependencies warrants a cautious classification.
- External report
- View on VirusTotal