Contact Map Bm
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can read the Odoo contacts available to the configured Odoo user, potentially including business contact details.
The script authenticates to Odoo with a password or API key and reads contact records. This is expected for the map feature, but the credential may grant broader account access than this script needs.
secret = cfg.get('ODOO_API_KEY') or cfg.get('ODOO_PASSWORD') ... models.execute_kw(db, uid, secret, 'res.partner', 'search_read', [domain], {'fields': fields, 'limit': 10000})Use a least-privileged Odoo account or API key, prefer HTTPS Odoo URLs, and avoid storing long-lived passwords in a local .env unless the file is protected.
A third-party geocoder can receive address search queries, which may reveal customer or contact locations.
When coordinates are missing, the script sends contact address strings to the external Nominatim geocoding service. This is disclosed and purpose-aligned, but it is a third-party data flow.
q = addr + ', Germany' ... requests.get('https://nominatim.openstreetmap.org/search', params=params, headers=headers, timeout=15)Run this only if sharing contact addresses with Nominatim is acceptable; consider pre-populating coordinates in Odoo, limiting by city, or using an approved internal geocoder for sensitive contacts.
Anyone with access to the generated HTML file may see mapped contact details.
The generated HTML file includes contact email/phone details and is written persistently to the OpenClaw workspace. This matches the feature description, but the file should be treated as sensitive.
if e.get('email'): popup += '<br/>' + html.escape(e.get('email')) ... outfile = os.path.join(outdir, 'odoo_contacts_germany_map.html')Store the generated file securely, do not publish it accidentally, and delete it when no longer needed.