← Back to Skills Marketplace

Twenty CRM

Name: Twenty CRM
Author: jhumanj

by JhumanJ · GitHub ↗ · v1.0.0

darwinlinux ⚠ suspicious

2424

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install twenty-crm

Description

Interact with Twenty CRM (self-hosted) via REST/GraphQL.

Usage Guidance

Key points to consider before installing or using this skill: - Don’t assume the SKILL.md path is authoritative: the scripts actually try to load /Users/jhumanj/clawd/config/twenty.env. That is a hardcoded developer path and is inconsistent with SKILL.md (which says create config/twenty.env). Ask the author to fix the config path (make it relative or respect an env var) before using. - Secrets are required but not declared: the scripts need TWENTY_BASE_URL and TWENTY_API_KEY. Keep that API key secret and avoid placing it in world-readable files. Prefer exporting them as environment variables or placing the config file in a secure location you control. - Verify destination of requests: the scripts send the API key in an Authorization header to whatever TWENTY_BASE_URL you configure. Ensure that URL is your intended self-hosted instance (not a public or attacker-controlled endpoint). - Operational notes: these scripts call curl and python3 and write one temporary JSON file to /tmp. They do not install extra software or contact other domains by themselves. - Recommended actions: ask the skill author to (1) update twenty-config.sh to look for config/twenty.env (or respect an env var or relative path), (2) declare required env vars in the skill metadata, and (3) remove hardcoded user-specific paths. If you cannot get an updated version, inspect and locally modify the scripts to point to your own config path before running them. Given these coherence issues (hardcoded config path and missing declared credentials), treat the skill as suspicious until those problems are resolved.

Capability Analysis

Type: OpenClaw Skill Name: twenty-crm Version: 1.0.0 The skill is classified as suspicious primarily due to a query parameter injection vulnerability in `scripts/twenty-find-companies.sh` and `scripts/twenty-rest-get.sh`. User-provided search terms are incorporated into a URL query string without proper URL encoding, potentially allowing an attacker to inject arbitrary query parameters into the API request. Additionally, `scripts/twenty-config.sh` uses a hardcoded absolute path (`/Users/jhumanj/clawd/config/twenty.env`) for loading configuration, which is a poor practice and indicates a lack of portability or an assumption about a specific execution environment.

Capability Assessment

⚠ Purpose & Capability

The scripts match the stated purpose (curl + GraphQL/REST helpers). However the skill does not declare the credentials it actually needs (TWENTY_BASE_URL, TWENTY_API_KEY) and the runtime config path is hardcoded to a developer-specific absolute path (/Users/jhumanj/clawd/config/twenty.env) rather than the relative config/twenty.env referenced in SKILL.md. This mismatch is incoherent and not proportional to the stated purpose.

⚠ Instruction Scope

SKILL.md instructs the user to create config/twenty.env (relative), but the runtime loader (scripts/twenty-config.sh) reads /Users/jhumanj/clawd/config/twenty.env. The scripts otherwise stay within scope (they only call the target TWENTY_BASE_URL endpoints using curl and call python3 locally). There is no obvious exfiltration to other endpoints, but the absolute config path means the skill may read an unexpected file on the host if present.

✓ Install Mechanism

There is no install spec — this is instruction/script-only. Nothing is downloaded or extracted from the network by the skill itself. Scripts rely on common tools (bash, curl, python3) but no package installation is performed by the skill bundle.

⚠ Credentials

The skill requires sensitive data (TWENTY_API_KEY and TWENTY_BASE_URL) but does not declare any required environment variables in its metadata. Instead it expects those values to be present in a config file at an absolute path. Not declaring the credential requirements is a mismatch and increases the risk of misconfiguration or accidental exposure of secrets.

✓ Persistence & Privilege

The skill does not request always:true, does not modify other skills or global agent settings, and does not require persistent system-level installation. It runs only when invoked.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install twenty-crm
After installation, invoke the skill by name or use /twenty-crm
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release

Metadata

Slug twenty-crm

Version 1.0.0

License —

All-time Installs 6

Active Installs 6

Total Versions 1

Frequently Asked Questions

What is Twenty CRM?

Interact with Twenty CRM (self-hosted) via REST/GraphQL. It is an AI Agent Skill for Claude Code / OpenClaw, with 2424 downloads so far.

How do I install Twenty CRM?

Run "/install twenty-crm" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Twenty CRM free?

Yes, Twenty CRM is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Twenty CRM support?

Twenty CRM is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux).

Who created Twenty CRM?

It is built and maintained by JhumanJ (@jhumanj); the current version is v1.0.0.

More Skills