Back to skill
Skillv1.0.0
VirusTotal security
Twenty CRM · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:02 AM
- Hash
- f6af7788e462480dccce4ff86500e3c309451fd92d4638477e67135420e46c5a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: twenty-crm Version: 1.0.0 The skill is classified as suspicious primarily due to a query parameter injection vulnerability in `scripts/twenty-find-companies.sh` and `scripts/twenty-rest-get.sh`. User-provided search terms are incorporated into a URL query string without proper URL encoding, potentially allowing an attacker to inject arbitrary query parameters into the API request. Additionally, `scripts/twenty-config.sh` uses a hardcoded absolute path (`/Users/jhumanj/clawd/config/twenty.env`) for loading configuration, which is a poor practice and indicates a lack of portability or an assumption about a specific execution environment.
- External report
- View on VirusTotal