twenty-crm

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches runtime OpenAPI schemas from arbitrary Twenty instances (see scripts/fetch_openapi_specs.sh which calls <BASE_URL>/rest/open-api/core and /rest/open-api/metadata) and the SKILL.md/references instruct the agent to treat those live, workspace-generated specs as the source of truth for deciding endpoints and actions, so untrusted third-party schema/content can materially influence tool use and follow-up behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The fetch script (scripts/fetch_openapi_specs.sh) performs runtime HTTP requests to the OpenAPI endpoints (for example: https://api.twenty.com/rest/open-api/core?token=... and https://api.twenty.com/rest/open-api/metadata?token=...), and the skill's docs explicitly recommend supplying those live OpenAPI URLs (including tokenized variants) to LLMs so the fetched schema can be injected into prompts and drive code generation, which means remote content fetched at runtime can directly control agent instructions.