Twenty CRM OAuth Mastery

Provides expert OAuth 2.0 implementation, troubleshooting, and token management for Twenty CRM with Google/Microsoft OAuth and email/calendar sync integration.

This skill contains detailed, actionable steps for debugging and fixing OAuth issues in Twenty CRM — including commands that inspect containers and environment variables and recommendations to change cookie security settings. Before using it: 1) Only run the suggested docker/env commands in a trusted development or staging environment (not production). 2) Do not expose or copy AUTH_GOOGLE_* secrets; if you must inspect them, do so via secure, audited means. 3) Be cautious about suggestions that reduce cookie security (httpOnly: false) — avoid applying such changes in production. 4) If you plan to let an autonomous agent run these instructions, restrict its access to containers and secrets and review outputs before any code changes. If you need stronger assurance, ask the skill author to explicitly document required environment access and to provide a safe checklist for production vs. dev usage.

Type: OpenClaw Skill Name: twenty-oauth-mastery Version: 1.0.0 The skill bundle is classified as suspicious due to the recommendation to set `httpOnly: false` for authentication cookies in `auth.service.ts` (SKILL.md), which is a significant security risk allowing client-side scripts to access and potentially steal tokens. Additionally, the skill frequently instructs the use of `docker exec` commands for diagnostics and configuration within containers (SKILL.md), granting powerful shell access. While these actions are presented as necessary for debugging and fixing the stated application's OAuth issues, they represent high-risk capabilities without clear malicious intent, fitting the 'suspicious' threshold.