Security Audit
monday-automation
github.com/ComposioHQ/awesome-claude-skillsTrust Assessment
monday-automation received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Raw GraphQL access grants broad, potentially destructive permissions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 17, 2026 (commit 99e2a295). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Raw GraphQL access grants broad, potentially destructive permissions The `MONDAY_CREATE_OBJECT` tool provides direct access to the Monday.com GraphQL API, allowing for raw GraphQL mutations. The documentation explicitly states it can be used for operations without dedicated tools, citing examples such as `delete_item` and `archive_board`. This broad, low-level access significantly increases the attack surface, enabling an agent to perform highly destructive or unintended actions if compromised by a malicious prompt or due to an error in its reasoning. Consider implementing stricter controls or a wrapper around `MONDAY_CREATE_OBJECT` to limit its capabilities to only necessary, predefined GraphQL operations. If raw GraphQL access is essential, ensure robust input validation, sanitization, and comprehensive monitoring of its usage to detect and prevent malicious or erroneous actions. | LLM | SKILL.md:247 |
Scan History
Embed Code
[](https://skillshield.io/report/2dd6b83a265aed5b)
Powered by SkillShield