Back to plugin

Security audit

monday-openclaw-roeiya

Security checks across malware telemetry and agentic risk

Overview

The plugin mostly matches its monday.com integration purpose, but it can automatically change monday.com account state on startup and its public webhook has replay-risk gaps.

Install only if you want monday.com messages to invoke an OpenClaw agent and allow that agent to post back to monday.com. Review the monday.com token scope, avoid setting callbackUrl unless you intend automatic registration/account mutation, keep gatewayUrl and mondayApiUrl trusted, and expose /hooks/monday only behind the intended HMAC-protected public endpoint.

VirusTotal

57/57 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
openclaw.plugin.json:37
Evidence
"default": "http://127.0.0.1:18789",