ClawHub

Twenty CRM OAuth Mastery

Security checks across malware telemetry and agentic risk

Overview

This documentation-only OAuth troubleshooting skill is coherent, but it gives risky production authentication guidance that could expose user sessions if followed as written.

Use this only as high-sensitivity OAuth troubleshooting reference, not drop-in production guidance. Before applying its fixes, review the httpOnly false cookie recommendation with a security engineer, prefer server-side or HttpOnly session designs where possible, and never paste live OAuth secrets, token values, or raw docker env output into chats, tickets, logs, or documentation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly instructs setting the authentication cookie with `httpOnly: false` so frontend JavaScript can read token material. Exposing auth tokens to browser JS materially increases theft risk through XSS, malicious extensions, injected third-party scripts, and accidental client-side logging, and the guidance presents this as a required fix rather than a last-resort tradeoff.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The document recommends making the auth cookie readable by frontend JavaScript without warning about the security and privacy consequences. Even if technically convenient, this weakens a core browser protection boundary and makes compromise of any client-side script context much more likely to result in account takeover or API misuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal