← 返回 Skills 市场
379
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install monday-com
功能描述
Manage monday.com boards, items, columns, groups, updates, and workflows via MCP server (preferred) and GraphQL API (fallback). Use when a user asks to creat...
安全使用建议
This skill appears coherent for a monday.com integration, but take these precautions before installing:
- Prefer the GraphQL fallback unless you trust the MCP package source; invoking `npx ...@latest` downloads and runs remote code each time — consider pinning a specific version instead of `@latest`.
- Store MONDAY_API_TOKEN in a secrets manager or platform secret (not plaintext). Limit the token's scope if possible and use temporary/rotated tokens.
- Review the MCP package repository (if you plan to use it) so you trust its publisher and release history.
- Monitor token usage and audit monday.com activity after enabling the skill. If you cannot confirm the MCP package source, avoid running subprocess installs and stick to direct GraphQL calls.
功能分析
Type: OpenClaw Skill
Name: monday-com
Version: 1.3.0
The skill bundle contains highly unusual instructions in `SKILL.md` for bypassing an 'agent-verification challenge' called 'Hatcha' using various decoding techniques (ROT13, Base64, Hex), which suggests a mechanism for unauthorized autonomous account creation. Furthermore, it directs the agent to install an MCP server from `@mondaydotcomorg/monday-api-mcp`, a package name that appears to be a typosquatted version of the official monday.com developer namespace, posing a high risk of supply chain attack via `npx` execution. While no direct data exfiltration is observed, the combination of security bypass instructions and suspicious package dependencies warrants a cautious classification.
能力评估
Purpose & Capability
Name/description match the requested env var (MONDAY_API_TOKEN) and the SKILL.md explains using monday's MCP server or GraphQL API to manage boards/items/columns/etc., which is expected for this integration.
Instruction Scope
The instructions stay on-topic (signup, obtain token, use MCP or GraphQL, example queries/mutations). They don't ask to read unrelated system files or other credentials. They do instruct running an MCP subprocess or using npx, which broadens what the agent will execute at runtime (see install_mechanism).
Install Mechanism
There is no formal install spec (instruction-only), but SKILL.md recommends invoking the official MCP server via `npx -y @mondaydotcomorg/monday-api-mcp@latest`. Relying on npx/@latest downloads and executing third-party code at runtime is a supply-chain risk; however, this is optional and the doc encourages falling back to direct GraphQL calls.
Credentials
Only MONDAY_API_TOKEN is required and it is justified by the skill's purpose. No unrelated secrets, config paths, or multiple credential requests are present.
Persistence & Privilege
Skill is instruction-only, no install, not always-enabled, and does not request system-wide changes or other skills' configs. Autonomous invocation is allowed by default but not combined with other high-risk factors here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install monday-com - 安装完成后,直接呼叫该 Skill 的名称或使用
/monday-com触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.3.0
Remove curl examples with auth headers from SKILL.md to avoid VirusTotal false positive. GraphQL examples moved to references/graphql-examples.md. No functional changes.
v1.2.0
monday.com skill: boards, items, columns, groups, updates, workflows, MCP + GraphQL API
元数据
常见问题
monday.com 是什么?
Manage monday.com boards, items, columns, groups, updates, and workflows via MCP server (preferred) and GraphQL API (fallback). Use when a user asks to creat... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 379 次。
如何安装 monday.com?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install monday-com」即可一键安装,无需额外配置。
monday.com 是免费的吗?
是的,monday.com 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
monday.com 支持哪些平台?
monday.com 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 monday.com?
由 regevguym(@regevguym)开发并维护,当前版本 v1.3.0。
推荐 Skills