ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Twenty CRM OAuth Mastery

v1.0.0

Provides expert OAuth 2.0 implementation, troubleshooting, and token management for Twenty CRM with Google/Microsoft OAuth and email/calendar sync integration.

0· 950·0 current·0 all-time
by@avirweb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and SKILL.md focus on Twenty CRM OAuth troubleshooting and implementation. The files referenced, commands suggested (build, restart, docker, curl) and code snippets are consistent with debugging an OAuth server and enabling token preservation for sync services.
!
Instruction Scope
Although reasonable for a debugging guide, the SKILL.md explicitly instructs the agent/operator to run commands that inspect container filesystem and environment (e.g., docker exec ... cat /app/dist/..., docker exec fratres-twenty env | grep AUTH_GOOGLE) and to change server/cookie settings (e.g., set httpOnly: false). Those instructions let an agent read environment variables, compiled code, and potentially modify security-relevant code — actions that go beyond passive guidance and can expose credentials or weaken runtime security.
Install Mechanism
Instruction-only skill with no install spec or external downloads. No code is written or fetched by an installer, which keeps install risk low.
!
Credentials
The skill declares no required env vars but repeatedly references AUTH_GOOGLE_CLIENT_ID, AUTH_GOOGLE_CLIENT_SECRET, AUTH_GOOGLE_CALLBACK_URL and suggests grepping env output. Requiring unrestricted access to container env and config is disproportionate to a read-only guidance document and increases risk of credential exposure if the agent follows instructions autonomously or without environment safeguards.
Persistence & Privilege
The skill is not always-enabled, does not install or request persistent presence, and is user-invocable. It does not request elevated platform privileges itself.
What to consider before installing
This skill contains detailed, actionable steps for debugging and fixing OAuth issues in Twenty CRM — including commands that inspect containers and environment variables and recommendations to change cookie security settings. Before using it: 1) Only run the suggested docker/env commands in a trusted development or staging environment (not production). 2) Do not expose or copy AUTH_GOOGLE_* secrets; if you must inspect them, do so via secure, audited means. 3) Be cautious about suggestions that reduce cookie security (httpOnly: false) — avoid applying such changes in production. 4) If you plan to let an autonomous agent run these instructions, restrict its access to containers and secrets and review outputs before any code changes. If you need stronger assurance, ask the skill author to explicitly document required environment access and to provide a safe checklist for production vs. dev usage.

Like a lobster shell, security has layers — review code before you run it.

authenticationvk976h7ns7g09a6ptzhxzm6k6zd80sd6kgoogle-oauthvk976h7ns7g09a6ptzhxzm6k6zd80sd6klatestvk976h7ns7g09a6ptzhxzm6k6zd80sd6kmicrosoft-oauthvk976h7ns7g09a6ptzhxzm6k6zd80sd6koauthvk976h7ns7g09a6ptzhxzm6k6zd80sd6ktoken-refreshvk976h7ns7g09a6ptzhxzm6k6zd80sd6ktwenty-crmvk976h7ns7g09a6ptzhxzm6k6zd80sd6k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments