Twenty CRM OAuth Mastery
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly documentation, but it recommends weakening OAuth session-cookie protections in a way that could expose login tokens.
Review this skill before use. Its OAuth troubleshooting advice is relevant, but do not blindly apply the `httpOnly: false` cookie recommendation or paste OAuth secrets/token values into the agent. Require explicit approval before database changes, Docker restarts, or environment-variable inspection.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user following this guidance could make account tokens easier to steal, potentially allowing unauthorized access to the CRM or connected Google/Microsoft data.
The skill recommends making an authentication token cookie readable by browser JavaScript. That can expose session or OAuth tokens to theft if any XSS or malicious script is present.
httpOnly: false, // 🔴 Must be false for JavaScript access
Do not adopt `httpOnly: false` for token-bearing cookies without a security review. Prefer HttpOnly cookies, short-lived one-time exchange codes, backend-mediated token exchange, or another design that does not expose tokens to JavaScript.
OAuth tokens could allow access to user email, calendar, or CRM-connected services if logged, copied into prompts, or stored insecurely.
The skill intentionally teaches preservation and passing of OAuth access and refresh tokens. This is aligned with email/calendar sync setup, but these tokens grant account access and need careful handling.
return { ...profile, accessToken: _accessToken, refreshToken: _refreshToken,Ensure token values are never pasted into chats, logs, tickets, or screenshots; store them only in approved secret storage and limit scopes to what the sync feature needs.
Running these commands on the wrong system could cause downtime or expose sensitive OAuth configuration in the agent context or logs.
The skill documents operational commands that can restart a running service and print OAuth-related environment variables, which may include client secrets.
docker restart fratres-twenty # Restart container docker exec fratres-twenty env | grep AUTH_GOOGLE # Check env vars
Run operational commands only after explicit approval, preferably in staging first, and redact secret values before sharing command output.