Security Audit
monday-automation
github.com/sickn33/antigravity-awesome-skillsTrust Assessment
monday-automation received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Raw GraphQL tool grants broad, potentially destructive access.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Raw GraphQL tool grants broad, potentially destructive access The `MONDAY_CREATE_OBJECT` tool allows the execution of arbitrary GraphQL mutations against the Monday.com API. As explicitly stated in the 'Pitfalls' section, this includes operations without dedicated tools such as `delete_item` or `archive_board`. This broad access, if exploited via prompt injection, could lead to unauthorized data modification, deletion, or service disruption on Monday.com boards and items. Implement stricter input validation or allow-listing for GraphQL queries passed to `MONDAY_CREATE_OBJECT` if possible. Consider providing more granular tools for specific destructive actions (e.g., `MONDAY_DELETE_ITEM`, `MONDAY_ARCHIVE_BOARD`) instead of relying solely on a raw GraphQL interface for such critical operations. Educate users and LLM developers about the high-risk nature of this tool and advise caution when constructing or allowing user input to influence GraphQL queries. | LLM | SKILL.md:220 |
Scan History
Embed Code
[](https://skillshield.io/report/69c1a8ec70d91ad3)
Powered by SkillShield