Linkedin Odoo
PassAudited by ClawScan on May 6, 2026.
Overview
The skill does what it claims, but it needs Odoo credentials, sends contact details to DuckDuckGo, and can overwrite an Odoo contact’s LinkedIn field.
Before installing, make sure the Odoo credentials are limited to the needed contact access, run the script only for intended contact IDs, and confirm you are comfortable sending contact name/company data to DuckDuckGo. There is no evidence of hidden exfiltration, obfuscation, destructive behavior, or background persistence in the provided artifacts.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The script acts with the permissions of the supplied Odoo account and can modify contact records.
The skill requires delegated Odoo account credentials. This is expected for updating Odoo records, but those credentials may carry broader CRM permissions than this single-field update needs.
The skill uses Odoo credentials via environment variables... `ODOO_PASSWORD` or `ODOO_API_KEY`
Use a least-privileged Odoo API key or user account limited to the needed contact read/write access, and ensure the required environment variables are clearly configured.
An incorrect search result or unintended contact ID could replace an existing LinkedIn URL in Odoo.
The script intentionally continues and writes a new value even if the contact already has a LinkedIn URL. This is aligned with an updater tool, but it can overwrite existing CRM data without a separate confirmation step.
if partner.get('x_linkedin_url'):
print(f"Partner already has a LinkedIn URL: {partner['x_linkedin_url']}")
# Allow overwrite? Let's just update it anyway or skip? We'll proceed.
...
'res.partner', 'write',
[[partner_id], {'x_linkedin_url': linkedin_url}]Verify the contact ID and found URL before running, and consider changing the workflow to skip or ask for confirmation when x_linkedin_url is already populated.
Contact identity details may be shared with DuckDuckGo as part of the search query.
The workflow sends a contact's name and company to DuckDuckGo to perform the search. This is disclosed and necessary for the skill's function, but it is still an external data flow.
The script will fetch the contact's name and company, run a web search for their LinkedIn profile (`site:linkedin.com/in <Name> <Company>`)... The script uses the `html.duckduckgo.com` search
Use the skill only for contacts where external web searching is acceptable under your privacy or customer-data policies.