Back to skill

Security audit

Odoo Reporting

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for read-only Odoo reporting, but its broad raw Odoo read interface and sensitive financial data handling warrant human review before installation.

Install only if you are comfortable giving the skill read access to the Odoo data available to the configured account. Use a least-privilege Odoo API user, avoid the raw rpc-call command unless needed, restrict generated report file access, clean up local outputs containing sensitive data, and update or pin dependencies to patched versions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill explicitly documents access to environment variables, local file read/write locations, and outbound network connections to an Odoo instance, yet the finding indicates no declared permissions are present. This creates a trust and enforcement gap: operators may approve the skill believing it is low-privilege while it can access credentials, pull sensitive financial/customer data, and write report artifacts locally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented behavior exceeds the declared purpose, especially by enabling raw read-only RPC access to arbitrary Odoo models/methods within an allowlist and generating broader formal financial reporting than the description suggests. Even if read-only, this mismatch can mislead reviewers and users about the breadth of accessible data and functionality, increasing the chance of overcollection or exposure of sensitive ERP data.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The ask() path sends a broad snapshot of financial data, including recent accounting moves and cash-account balances, into an AI component without evidence of scope controls, minimization, or approval gates. If the AI backend is external or logs prompts, sensitive financial records may be exposed beyond the deterministic Odoo reporting role described by the skill metadata.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
get_ai_anomaly_report() retrieves recent posted accounting moves and forwards them to an AI analysis component, introducing secondary processing of financial data not clearly declared by the skill's stated query/reporting purpose. This expands the data-handling surface and can leak invoice and counterparty information if the AI service is remote, retained, or insufficiently governed.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The rpc-call command exposes a generic raw Odoo method invoker that accepts arbitrary model, method, and payload values. In a skill advertised as query/reporting-focused, this creates a capability expansion that can enable unauthorized state-changing operations, data exfiltration, or abuse of privileged Odoo methods if an agent or user can reach this interface.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The config command allows arbitrary local settings modification via dotted keys, which exceeds the stated Odoo data-query/reporting scope. Even though it writes only to a local JSON file, this administrative surface can be abused to alter runtime behavior, disable safeguards implemented elsewhere, or persist unauthorized changes across runs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The natural-language query feature sends accounting context to AI without any visible user-facing notice, consent, or indication that sensitive financial data may be shared with a model. This creates a transparency and privacy problem because users may believe they are querying Odoo directly while their data is being repurposed for AI inference.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The AI anomaly report transmits recent financial records to an AI component without explicit disclosure or confirmation to the user. Because the records include invoice metadata and amounts, undisclosed AI processing can violate least-expectation and create compliance or confidentiality issues.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code writes generated financial statement PDFs to a predictable local path on disk without any disclosure, retention controls, or access restrictions visible in this file. Because the content contains sensitive accounting data, silent persistence increases the risk of unauthorized local access, accidental exposure across users/tenants, and leftover sensitive files remaining after the request completes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The balance sheet path is similarly written to a predictable output directory without any user-facing notice or safeguards in this file. In an Odoo reporting skill, these PDFs likely contain highly sensitive financial data, so undisclosed persistence can leak balance sheet information through shared filesystem access, backup systems, logs, or stale artifacts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The reporter generates chart images, WhatsApp card images, and a PDF containing sensitive financial metrics such as liquidity, burn rate, runway, and working capital, and writes them to files with predictable names. In an autonomous reporting skill for Odoo financial data, this creates a real confidentiality risk if files are stored in shared, persistent, or weakly protected locations, because other users or processes may access sensitive business information without explicit disclosure or access controls.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The report explicitly includes customer-identifying data by placing customer names into the PDF report content and also exposes the top customer name in generated cards. In a finance/Odoo skill, this can leak sensitive business relationship information to downstream recipients or storage locations if reports are shared, cached, or generated for users without a strict need-to-know.

Ssd 3

Medium
Confidence
95% confidence
Finding
The code builds a broad AI context containing recent posted moves and cash-flow account balances, regardless of whether the user's query needs all of that information. This lack of minimization increases the blast radius of any prompt leakage, model retention, logging exposure, or downstream misuse of sensitive accounting data.

Known Vulnerable Dependency: requests==2.31.0 — 5 advisory(ies): CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi); CVE-2026-25645 (Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility func) +2 more

Medium
Category
Supply Chain
Confidence
96% confidence
Finding
requests==2.31.0

Known Vulnerable Dependency: pillow==10.0.0 — 10 advisory(ies): CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2024-28219 (Pillow buffer overflow vulnerability); CVE-2023-4863 (libwebp: OOB write in BuildHuffmanTable) +7 more

Critical
Category
Supply Chain
Confidence
99% confidence
Finding
pillow==10.0.0

Known Vulnerable Dependency: pytest==8.0.0 — 2 advisory(ies): CVE-2025-71176 (pytest has vulnerable tmpdir handling); CVE-2025-71176 (pytest has vulnerable tmpdir handling)

High
Category
Supply Chain
Confidence
69% confidence
Finding
pytest==8.0.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.