Twenty CRM

Security checks across malware telemetry and agentic risk

Overview

This Twenty CRM skill appears legitimate, but it gives agents write/delete access to business CRM data and includes a shell config pattern that can execute user-controlled files.

Review before installing. Use it only with a Twenty API key scoped as narrowly as possible, avoid running DELETE or PATCH actions unless the user explicitly asks for them, and do not set TWENTY_CONFIG_FILE to an untrusted file. Prefer a safer config parser or manually exported environment variables over sourcing config files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation advertises POST, PATCH, and DELETE operations against CRM records without any caution that these commands modify or permanently remove business data. In an agent setting, this increases the chance of accidental destructive actions, especially when users or downstream agents copy examples verbatim without understanding the consequences.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script sources a configuration file as shell code via `source "$CONFIG_FILE"`, and that file path can be influenced by `TWENTY_CONFIG_FILE`. If an attacker can modify the config file or point the environment variable at a malicious file, arbitrary shell commands will execute in the context of the user running the script; exporting the API key then further increases exposure of secrets to child processes.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal