ClawHub

Odoo Reporting

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed read-only Odoo reporting skill, but users should treat its financial outputs and local report files carefully.

Install only with a dedicated least-privilege read-only Odoo API key, restrict it to the companies and models you intend to report on, and review/delete generated output files because they may contain confidential financial data. Avoid relying on ad-hoc metrics for decisions until unsupported metrics are rejected instead of defaulting to sales invoices, and avoid AI commands until the missing OpenClawIntelligence helper and its data handling are reviewed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The ad-hoc reporter advertises arbitrary metric support, but _get_metric always queries account.move invoice data and maps unknown metrics to out_invoice sales. This can silently return materially incorrect financial results, causing users or downstream agents to make decisions based on mislabeled data rather than the requested business metric.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The class/docstring presents this as a custom ad-hoc report builder, but the implementation does not provide generic reporting and silently substitutes unsupported requests with sales invoice data. In a finance-focused Odoo skill, this mismatch is dangerous because it can misrepresent accounting, CRM, inventory, or other metrics as revenue data without warning.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The CLI exposes a generic rpc-call command that lets a caller choose any Odoo model, method, and payload. That exceeds the stated analytics/reporting scope and enables arbitrary remote operations through the configured Odoo credentials, including potentially state-changing or destructive actions if the account has sufficient privileges.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The implementation directly forwards user-supplied model, method, and JSON payload into client.call_raw without any validation of operation type, model sensitivity, or method safety. In an Odoo environment this can be abused to invoke write/create/unlink/custom server methods, turning a reporting tool into a general-purpose remote admin interface depending on credential permissions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The ask() method assembles recent accounting moves and cash-balance data, then sends that financial context to an AI component without any visible consent, minimization, or disclosure control at this call site. In a finance/Odoo skill, this can expose sensitive business and customer financial data to an external model or service, creating confidentiality, compliance, and data-handling risks if the AI backend is remote or logs prompts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The get_ai_anomaly_report() method retrieves recent posted accounting moves and forwards them to an AI analyzer without explicit disclosure or approval at the point of use. Because these records include partner references, invoice metadata, and amounts, the feature may leak regulated or commercially sensitive accounting information to an AI provider or internal service that is not appropriately constrained.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The reporter writes generated financial statements to a predictable local path on disk without any indication here of user consent, retention control, access restriction, or secure temp-file handling. In an Odoo financial reporting context, these PDFs can contain highly sensitive company financial data, so silent persistence increases risk of unintended disclosure to other users, processes, backups, or later sessions on the same host.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
Balance sheet generation similarly persists a sensitive PDF to a predictable output directory with no visible warning, consent flow, or cleanup. Because balance sheets expose assets, liabilities, and equity, the skill context makes this more dangerous: these are confidential financial records whose residual storage can be accessed by co-located users or services if the environment is shared or poorly permissioned.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This reporter generates PNG WhatsApp cards, chart images, and a PDF report and writes them to disk using predictable filenames without any visible user disclosure, consent gate, or retention controls in this file. In a financial-reporting skill handling sensitive Odoo accounting data, silent artifact persistence can expose confidential business information through shared filesystems, leftover temp files, backups, or other local processes.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The help text presents rpc-call as merely an advanced feature and does not clearly warn that it may execute destructive remote operations against the ERP. While the deeper issue is the unsafe capability itself, the lack of explicit warning increases the chance of accidental misuse by operators and makes a dangerous feature easier to trigger.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
When PDF libraries are unavailable, the fallback writes full report contents to an HTML file on disk, which may store sensitive financial or customer data in cleartext. In the Odoo/CFO context, these reports can contain accounting, CRM, AR/AP, VAT, and customer analytics data, so local unencrypted persistence increases confidentiality risk if the host is shared, backed up broadly, or later exposed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal