Contact Map Bm
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: contact-map-bm Version: 1.0.0 The skill is a legitimate tool for generating an interactive Leaflet map of Odoo contacts. It uses standard XML-RPC to fetch data from Odoo and the Nominatim API for geocoding, with appropriate rate-limiting and HTML escaping to prevent XSS in the output file (scripts/generate_map.py). No evidence of credential exfiltration or malicious execution was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can read the Odoo contacts available to the configured Odoo user, potentially including business contact details.
The script authenticates to Odoo with a password or API key and reads contact records. This is expected for the map feature, but the credential may grant broader account access than this script needs.
secret = cfg.get('ODOO_API_KEY') or cfg.get('ODOO_PASSWORD') ... models.execute_kw(db, uid, secret, 'res.partner', 'search_read', [domain], {'fields': fields, 'limit': 10000})Use a least-privileged Odoo account or API key, prefer HTTPS Odoo URLs, and avoid storing long-lived passwords in a local .env unless the file is protected.
A third-party geocoder can receive address search queries, which may reveal customer or contact locations.
When coordinates are missing, the script sends contact address strings to the external Nominatim geocoding service. This is disclosed and purpose-aligned, but it is a third-party data flow.
q = addr + ', Germany' ... requests.get('https://nominatim.openstreetmap.org/search', params=params, headers=headers, timeout=15)Run this only if sharing contact addresses with Nominatim is acceptable; consider pre-populating coordinates in Odoo, limiting by city, or using an approved internal geocoder for sensitive contacts.
Anyone with access to the generated HTML file may see mapped contact details.
The generated HTML file includes contact email/phone details and is written persistently to the OpenClaw workspace. This matches the feature description, but the file should be treated as sensitive.
if e.get('email'): popup += '<br/>' + html.escape(e.get('email')) ... outfile = os.path.join(outdir, 'odoo_contacts_germany_map.html')Store the generated file securely, do not publish it accidentally, and delete it when no longer needed.