Back to skill
Skillv1.0.1
VirusTotal security
Odoo Assistant Store Manager · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:07 AM
- Hash
- 251aa54134bcf1447f5f274e4c6b852962574335f4ab64b9786610a09dd62df8
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: odoo-assistant-manager Version: 1.0.1 The skill bundle provides a functional Odoo ERP management system, but contains high-risk architectural patterns. Specifically, `src/odoo_listener.py` implements a polling loop that monitors Odoo Discuss messages and executes subprocesses via `odoo_manager.py` based on chat input; while it uses `shlex.quote` for sanitization, this remains a significant attack surface for command injection. Additionally, both `src/odoo_listener.py` and `src/odoo_manager.py` perform unvalidated HTTP requests to user-provided URLs (via `requests.get` and `urllib.request.urlopen`) to scrape metadata and download images, which introduces a Server-Side Request Forgery (SSRF) vulnerability. Although these behaviors align with the stated purpose of the tool and no clear malicious intent was found, the combination of remote-triggered execution and SSRF risks warrants a suspicious classification.
- External report
- View on VirusTotal