twenty-crm
Fail
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The file
openapi/twenty-metadata.jsoncontains two hardcoded JWT tokens within thedescriptionfield. These tokens are formatted as active API keys with expiration dates set far into the future (year 2126). - [EXTERNAL_DOWNLOADS]: The script
scripts/fetch_openapi_specs.shis designed to download OpenAPI JSON files from remote Twenty CRM instances provided via the--base-urlargument. - [COMMAND_EXECUTION]: The skill documentation and scripts authorize the execution of shell commands (
bash,curl) and Python scripts to facilitate CRM operations and data processing. - [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection by ingesting and relying on external OpenAPI specifications. Malicious content within a compromised CRM's metadata could potentially influence agent behavior.
- Ingestion points:
scripts/fetch_openapi_specs.shdownloads external JSON data into the localopenapi/directory. - Boundary markers: Absent. Instructions suggest treating the live instance as the "source of truth" without explicit validation of text-based metadata.
- Capability inventory: The skill utilizes subprocess execution (
curl,bash), file-system writes, and network operations. - Sanitization: Validation is limited to ensuring the downloaded file is a valid JSON OpenAPI document; it does not sanitize or filter the content of the fields within the document.
Recommendations
- AI detected serious security threats
Audit Metadata