Odoo Assistant Store Manager

Security checks across malware telemetry and agentic risk

Overview

This is a real Odoo store-management skill, but its optional chat listener can make live ERP changes from Discuss messages without clear user or channel authorization controls.

Install only if you trust the publisher and can use a dedicated least-privilege Odoo account, ideally against a test database first. Avoid running the optional Discuss listener in production until allowed users/channels, confirmations for write actions, URL restrictions, HTTPS validation, and PII redaction or authorization are added.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill advertises and instructs use of capabilities that access environment secrets, invoke shell commands, and communicate over the network, but the metadata shown in this file does not declare corresponding permissions. This undermines informed consent and sandbox/policy enforcement, especially because the commands interact with Odoo credentials and privileged business operations.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented description understates behavior that can access sensitive customer/order data and pull content from arbitrary external URLs, including downloading remote images and scraping pages for product creation. This mismatch is dangerous because users may authorize a seemingly narrow ERP helper while it actually enables broader data exposure, SSRF-like network reachability, and ingestion of untrusted remote content into business systems.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The listener accepts chat messages and can trigger high-impact business actions such as product creation and stock updates. In skill context, this is more dangerous because the described component is a Discuss listener for ERP operations, so unauthorized or accidental messages could modify core inventory/catalog data without strong authorization, confirmation, or scope controls.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: The Discuss listener turns chat content into local management script executions, creating an indirect command-execution boundary from Odoo messages to the host environment. Even without shell injection, this is dangerous because any weakness in message filtering, quoting, or the downstream manager script can let untrusted chat input drive privileged local operations.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code fetches arbitrary user-supplied URLs with requests.get and processes the response, which creates an SSRF surface. In this skill context, a chat user can cause the host running the listener to make outbound requests to attacker-chosen destinations, potentially probing internal services, cloud metadata endpoints, or sensitive network locations.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill includes event-registration access that is not reflected in the declared purpose or metadata, expanding its effective privilege and data reach beyond what an operator would reasonably expect. Hidden or undeclared capability is dangerous because it undermines least surprise and can enable unauthorized access to attendee counts or related event data in environments where the skill was approved only for sales, orders, stock, and products.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill retrieves detailed order data including shipping address and phone numbers, even though the stated purpose emphasizes sales, web orders, stock, and products rather than customer PII access. This mismatch increases the risk of overprivileged deployment and unreviewed personal-data exposure, especially because the function returns the data directly with no minimization, confirmation, or role check.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The image download helper fetches arbitrary external URLs, but this network capability is not clearly declared in the skill purpose. This creates an SSRF-style risk surface and unexpected outbound connectivity, allowing the skill to contact attacker-controlled hosts or internal services if supplied crafted URLs, while also importing untrusted content into Odoo.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The order-detail command discloses full shipping addresses and phone numbers directly in output without any user warning, purpose limitation, or confirmation flow. Because this is personally identifiable information, exposing it on demand increases the chance of accidental disclosure, misuse by an overbroad integration, or leakage into logs/chat history.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The web-order report includes customer names and cities in a general status response, which may expose personal data more broadly than necessary for routine operational summaries. Although less sensitive than full addresses and phone numbers, this still creates unnecessary privacy exposure if responses are visible to unauthorized users or retained in transcripts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal