Contact Map Bm
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears coherent and not malicious; it uses Odoo credentials to read contacts, sends addresses to Nominatim for geocoding, and stores a local HTML map with contact details.
Before installing, confirm that using Odoo credentials and sharing contact addresses with Nominatim/OpenStreetMap is acceptable for your organization. Prefer a least-privileged Odoo API key, scope the run where possible, and protect or delete the generated HTML map because it contains contact details.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can read the Odoo contacts available to the configured Odoo user, potentially including business contact details.
The script authenticates to Odoo with a password or API key and reads contact records. This is expected for the map feature, but the credential may grant broader account access than this script needs.
secret = cfg.get('ODOO_API_KEY') or cfg.get('ODOO_PASSWORD') ... models.execute_kw(db, uid, secret, 'res.partner', 'search_read', [domain], {'fields': fields, 'limit': 10000})Use a least-privileged Odoo account or API key, prefer HTTPS Odoo URLs, and avoid storing long-lived passwords in a local .env unless the file is protected.
A third-party geocoder can receive address search queries, which may reveal customer or contact locations.
When coordinates are missing, the script sends contact address strings to the external Nominatim geocoding service. This is disclosed and purpose-aligned, but it is a third-party data flow.
q = addr + ', Germany' ... requests.get('https://nominatim.openstreetmap.org/search', params=params, headers=headers, timeout=15)Run this only if sharing contact addresses with Nominatim is acceptable; consider pre-populating coordinates in Odoo, limiting by city, or using an approved internal geocoder for sensitive contacts.
Anyone with access to the generated HTML file may see mapped contact details.
The generated HTML file includes contact email/phone details and is written persistently to the OpenClaw workspace. This matches the feature description, but the file should be treated as sensitive.
if e.get('email'): popup += '<br/>' + html.escape(e.get('email')) ... outfile = os.path.join(outdir, 'odoo_contacts_germany_map.html')Store the generated file securely, do not publish it accidentally, and delete it when no longer needed.