← Back to Skills Marketplace
Nova Accountability
by
novalystrix
· GitHub ↗
· v2.0.0
· MIT-0
80
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install nova-accountability
Description
Manage accountability items on a Monday.com board. Use when creating new accountability items, checking on existing ones, running work sessions, or when a cr...
Usage Guidance
Before installing, confirm and correct the missing declarations and limit runtime scope: 1) Expect to provide a Monday API token (MONDAY_API_TOKEN) and board id (MONDAY_BOARD_ID) — the manifest should list them; 2) Ensure curl and jq are available or update the script to avoid jq; 3) Note the script will look in ~/.openclaw/.env for MONDAY_API_TOKEN — review that file for other secrets and consider placing the token in a dedicated env var instead; 4) Decide whether you want the agent to be allowed to 'spawn sub-agents' and 'message anyone' — if not, restrict the agent's permissions or remove/modify those instructions; 5) Run the skill in a constrained environment (limited network access, least-privilege token scoped to boards read/write) and review logs for outbound communication; and 6) If you need high assurance, ask the publisher to update the skill metadata to declare required env vars and binaries and to clarify exactly which external channels (email, Slack, etc.) the agent will use and what credentials are needed.
Capability Analysis
Type: OpenClaw Skill
Name: nova-accountability
Version: 2.0.0
The skill contains shell injection vulnerabilities in `scripts/monday-api.sh` due to unsafe handling of arguments in the `query` function and `update` command. Additionally, the `SKILL.md` instructions contain high-risk directives for an autonomous agent, such as 'Don't limit yourself' when messaging people and spawning sub-agents, which could lead to unauthorized communications or resource exhaustion. While the behavior aligns with the stated purpose of a proactive 'Accountability' manager, the combination of insecure scripting and broad operational autonomy warrants a suspicious classification.
Capability Assessment
Purpose & Capability
The skill's name/description (manage Monday.com accountability items) matches the included code and SKILL.md which use the Monday GraphQL API. However the package metadata claims no required env vars or binaries, while the SKILL.md/README/scripts clearly require a MONDAY_API_TOKEN and MONDAY_BOARD_ID and rely on curl and jq. That mismatch is inconsistent and should be corrected.
Instruction Scope
The SKILL.md instructs the agent to read all active items, create sub-items, write updates, and run an hourly 'real work session' that can 'execute the plan' including code work or 'config changes, research, outreach'. It also explicitly tells the agent to 'orchestrate others' (spawn Cursor Agent or other coding agents) and 'message anyone who can help' without enumerating required messaging credentials. The helper script reads ~/.openclaw/.env (to find MONDAY_API_TOKEN) and performs GraphQL calls to api.monday.com. The scope instructions therefore permit broad external interactions (spawning agents, messaging people) that are not reflected in declared requirements — this is scope creep and raises operational risk.
Install Mechanism
There is no install spec (instruction-only), which is low risk. The included script will be written to disk as part of the skill bundle. The script uses curl and pipes output to jq, but the manifest lists no required binaries; the skill should declare curl and jq as required or handle missing binaries gracefully.
Credentials
The SKILL.md and README require MONDAY_API_TOKEN and MONDAY_BOARD_ID, yet the registry metadata states none are required. The script attempts to read MONDAY_API_TOKEN from the environment or by grepping ~/.openclaw/.env — reading a user .env file is a notable behavior (it reads only to extract the token, but that file may contain other secrets). The skill does not declare or request any messaging/notification credentials even though instructions encourage contacting people and spawning sub-agents, creating a gap between capabilities and declared credentials.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent system privileges. It suggests running on a cron schedule (expected). It does not modify other skills or system-wide settings in the files provided.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install nova-accountability - After installation, invoke the skill by name or use
/nova-accountability - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.0.0
v2.0: Config-driven — all hardcoded values (board ID, column IDs, owner/agent names) moved to plugin config schema. README added. Helper script is env-var based. Generalized for any OpenClaw user running a Monday.com accountability board.
Metadata
Frequently Asked Questions
What is Nova Accountability?
Manage accountability items on a Monday.com board. Use when creating new accountability items, checking on existing ones, running work sessions, or when a cr... It is an AI Agent Skill for Claude Code / OpenClaw, with 80 downloads so far.
How do I install Nova Accountability?
Run "/install nova-accountability" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Nova Accountability free?
Yes, Nova Accountability is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Nova Accountability support?
Nova Accountability is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Nova Accountability?
It is built and maintained by novalystrix (@novalystrix); the current version is v2.0.0.
More Skills