Trust Assessment
twenty-crm received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 6 critical, 0 high, 0 medium, and 0 low severity. Key findings include Command Injection via unescaped query parameter, Command Injection via unescaped JSON variables, Command Injection via unescaped URL path.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via unescaped query parameter The `SEARCH` argument, which is user-controlled, is used to construct a `FILTER` JSON string. This `FILTER` string is then directly embedded into the `QUERY` string passed to `twenty-rest-get.sh`. In `twenty-rest-get.sh`, the `QUERY` string is directly concatenated into the `URL` variable without proper shell escaping. If `SEARCH` contains shell metacharacters (e.g., `$(command)`), these will be executed by the shell during the `URL` variable assignment in `twenty-rest-get.sh`. This allows for arbitrary command execution on the host system. This also enables data exfiltration, including the `TWENTY_API_KEY` which is exported in the environment. Ensure all user-controlled arguments are properly shell-escaped or URL-encoded before being used in shell commands or variable assignments. For URL components, use a dedicated URL encoding function (e.g., from Python) to construct the full URL string before passing it to `curl`. | LLM | scripts/twenty-find-companies.sh:25 | |
| CRITICAL | Command Injection via unescaped JSON variables The `VARIABLES` argument, which is user-controlled, is directly interpolated into a `printf` command to construct the `BODY` for the `curl` request. If `VARIABLES` contains shell metacharacters (e.g., `$(command)`), these will be executed by the shell during the `printf` command execution. This allows for arbitrary command execution on the host system. This also enables data exfiltration, including the `TWENTY_API_KEY` which is exported in the environment. Ensure all user-controlled arguments are properly shell-escaped or JSON-encoded before being used in shell commands or variable assignments. For JSON bodies, use a dedicated JSON encoding function (e.g., from Python) to construct the full JSON string before passing it to `curl`. | LLM | scripts/twenty-graphql.sh:25 | |
| CRITICAL | Command Injection via unescaped URL path The `PATH_PART` argument, which is user-controlled, is directly concatenated into the `URL` variable without proper shell escaping. If `PATH_PART` contains shell metacharacters (e.g., `$(command)`), these will be executed by the shell during the `URL` variable assignment. This allows for arbitrary command execution on the host system. This also enables data exfiltration, including the `TWENTY_API_KEY` which is exported in the environment. Ensure all user-controlled arguments are properly shell-escaped or URL-encoded before being used in shell commands or variable assignments. For URL components, use a dedicated URL encoding function (e.g., from Python) to construct the full URL string before passing it to `curl`. | LLM | scripts/twenty-rest-delete.sh:20 | |
| CRITICAL | Command Injection via unescaped URL path and query string The `PATH_PART` and `QUERY` arguments, which are user-controlled, are directly concatenated into the `URL` variable without proper shell escaping. If either `PATH_PART` or `QUERY` contains shell metacharacters (e.g., `$(command)`), these will be executed by the shell during the `URL` variable assignment. This allows for arbitrary command execution on the host system. This also enables data exfiltration, including the `TWENTY_API_KEY` which is exported in the environment. Ensure all user-controlled arguments are properly shell-escaped or URL-encoded before being used in shell commands or variable assignments. For URL components, use a dedicated URL encoding function (e.g., from Python) to construct the full URL string before passing it to `curl`. | LLM | scripts/twenty-rest-get.sh:20 | |
| CRITICAL | Command Injection via unescaped URL path and JSON body The `PATH_PART` and `JSON_BODY` arguments, which are user-controlled, are directly interpolated into the `curl` command without proper shell escaping. If either `PATH_PART` or `JSON_BODY` contains shell metacharacters (e.g., `$(command)`), these will be executed by the shell before the `curl` command is invoked. This allows for arbitrary command execution on the host system. This also enables data exfiltration, including the `TWENTY_API_KEY` which is exported in the environment. Ensure all user-controlled arguments are properly shell-escaped, URL-encoded (for path), or JSON-encoded (for body) before being used in shell commands. For URL components and JSON bodies, use a dedicated encoding function (e.g., from Python) to construct the full strings before passing them to `curl`. | LLM | scripts/twenty-rest-patch.sh:20 | |
| CRITICAL | Command Injection via unescaped URL path and JSON body The `PATH_PART` and `JSON_BODY` arguments, which are user-controlled, are directly interpolated into the `curl` command without proper shell escaping. If either `PATH_PART` or `JSON_BODY` contains shell metacharacters (e.g., `$(command)`), these will be executed by the shell before the `curl` command is invoked. This allows for arbitrary command execution on the host system. This also enables data exfiltration, including the `TWENTY_API_KEY` which is exported in the environment. Ensure all user-controlled arguments are properly shell-escaped, URL-encoded (for path), or JSON-encoded (for body) before being used in shell commands. For URL components and JSON bodies, use a dedicated encoding function (e.g., from Python) to construct the full strings before passing them to `curl`. | LLM | scripts/twenty-rest-post.sh:20 |
Scan History
Embed Code
[](https://skillshield.io/report/48cfc0f0f6dbb9d2)
Powered by SkillShield