Is monday safe?

https://clawhub.ai/byungkyu/monday

72
CAUTION

This Monday.com integration skill is a documentation-only skill (no executable code in the repo) that instructs the agent to make API calls through a third-party proxy gateway (gateway.maton.ai) rather than directly to Monday.com. The primary risks are: (1) all data flows through Maton's infrastructure where it could be intercepted, (2) the skill normalizes a pattern of the agent executing inline Python code with credentials from prompt content, and (3) troubleshooting steps could leak the API key. No malicious intent is evident, but the trust dependency on the third-party gateway is significant.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (7)

HIGH All traffic routed through third-party proxy gateway -30

Every API call goes through gateway.maton.ai instead of directly to api.monday.com. The gateway operator (Maton) has full visibility into all requests and responses, including board data, user information, and item contents. The gateway also manages OAuth tokens via ctrl.maton.ai, meaning the third party holds the user's Monday.com credentials. If Maton's infrastructure is compromised or acts maliciously, all Monday.com data is exposed.

MEDIUM Inline executable code blocks train agent to run arbitrary shell commands -20

The skill contains 15+ Python code blocks using the 'python <<EOF' heredoc pattern that the agent is expected to copy and execute. This normalizes a dangerous pattern where the agent runs code embedded in prompt content. A subsequent prompt injection attack could inject similarly-formatted code blocks that the agent would execute without additional scrutiny, since the skill has established this as the expected interaction pattern.

MEDIUM Troubleshooting section instructs echoing API key to stdout -15

The troubleshooting section includes 'echo $MATON_API_KEY' as a diagnostic step. If the agent follows this instruction, the API key will be printed to the conversation output, potentially exposing it in logs, screenshots, or shared sessions.

MEDIUM Cross-skill promotion with direct install URL -15

The skill description promotes another skill ('api-gateway') with a direct ClawHub URL (https://clawhub.ai/byungkyu/api-gateway), encouraging the agent to suggest installing additional skills. This could be used to expand the attack surface by chaining skill installations from the same author.

LOW No install scripts or git hooks but heavy inline code -40

The skill has no package.json, install scripts, git hooks, or submodules. However, it contains extensive inline Python code that functions as executable code when the agent runs it. The code accesses environment variables and makes network requests.

LOW Installer reads sensitive dotfiles during installation -5

The ClawHub installer process (not the skill itself) reads .env, .aws/credentials, .profile, .bashrc, and openclaw config files during installation. While this appears to be standard installer behavior, it means the installer has access to sensitive credentials during the install phase.

INFO Gateway proxy creates single point of trust -45

The entire skill's functionality depends on trusting Maton's infrastructure. If Maton is compromised, goes rogue, or experiences a breach, every user of this skill has their Monday.com data and OAuth tokens exposed. Users have no way to verify what the gateway does with their data in transit.