Odoo Reporting

Key things to check before installing or using this skill: 1) Do not provide admin credentials. Create a dedicated read-only Odoo user and an API key with minimal scope, and store that key in the skill's .env as recommended. Rotate the key after testing. 2) Confirm the platform/registry skill.json flags: SKILL.md claims model invocation is disabled (user-invocation only) but the registry metadata indicates autonomous invocation may be allowed — ask the publisher or registry maintainer which is authoritative. If autonomous invocation is enabled, do not supply credentials until you can enforce read-only access on the Odoo side. 3) Verify the registry metadata is updated to declare required env vars (ODOO_URL, ODOO_DB, ODOO_USER, ODOO_PASSWORD). Mismatched metadata reduces transparency and is a red flag. 4) Inspect src/connectors/odoo_client.py yourself (it enforces read-only by method name) and validate the blocking logic in your environment. Client-side checks can be bypassed if the files are modified, so rely on Odoo-side read-only permissions for safety. 5) Run the code in an isolated environment (VM/container) and test with a non-production Odoo instance or a dedicated read-only test user before connecting to production data. Monitor Odoo logs for unexpected calls. 6) If you need absolute assurance, request the publisher to provide a signed/verified package or a clear registry entry with explicit required env vars and a statement that the registry/platform will enforce modelInvocation disabled=true. Overall: the skill appears to implement the stated functionality, but the metadata/instruction contradictions and client-side enforcement caveats make it suspicious until you reconcile those inconsistencies and follow the safety steps above.