Back to skill

Security audit

VNClaw Odoo Skill

Security checks across malware telemetry and agentic risk

Overview

This is a real Odoo integration, but it gives the assistant broad, immediate ability to read and change business records without confirmation.

Install only after deciding that this assistant may act through an Odoo account with real business authority. Use a dedicated least-privilege API key, avoid admin credentials, remove or restrict generic custom_app.py and odoo_core.py access if you do not need it, and add confirmation for all write, note, notify, HR, document, and timesheet actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (20)

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The manifest claims only read, create, and update operations, but the documented log-note and notify actions also create internal messages and activities. These are side-effecting actions that can alter workflows, notify staff, and leave audit-visible artifacts beyond simple CRUD expectations.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest claims only read, create, and update operations, but the documented log-note and notify actions also create internal messages and activities. These are side-effecting actions that can alter workflows, notify staff, and leave audit-visible artifacts beyond simple CRUD expectations.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The custom_app.py and odoo_core.py interfaces provide broad arbitrary-model and low-level access not justified by the stated Odoo productivity scope. In practice, this can enable discovery of the ERP schema, access to unrelated business records, and modification of many non-sensitive-but-still-critical operational models if server-side ACLs permit it.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The module explicitly presents itself as a generic interface for any Odoo model/app, which materially exceeds the manifest description that claims support for a limited set of Odoo domains. That scope expansion enables access to sensitive or unintended models through a single catch-all tool, increasing the risk of unauthorized data access or state changes even if some core restrictions exist.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The models and fields commands expose broad schema discovery across Odoo, allowing users to enumerate installed models and inspect arbitrary field definitions. This substantially lowers the barrier to targeting sensitive data or privileged business objects by revealing the internal structure of the tenant beyond the advertised functionality.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script permits read, count, create, update, note logging, and activity scheduling on arbitrary model names supplied at runtime. In a skill advertised for specific Odoo workflows, this generic capability can be abused to alter unrelated records, access sensitive business data, or interact with internal messaging features across the tenant.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The --extra parameter is merged directly into vals from untrusted JSON, allowing arbitrary field writes on helpdesk.ticket during create and update. This bypasses the script's intended field restrictions and can enable unauthorized workflow changes, assignment manipulation, cross-model side effects via relational fields, or writes to sensitive/internal fields if the Odoo account has permission.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The get command accepts arbitrary field names via --fields and returns them directly, which can expose sensitive ticket metadata or related communication fields beyond the documented default view. In a helpdesk context, tickets often contain customer data, internal notes, message threads, and operational metadata, so unrestricted field selection increases data exposure risk.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The generic CLI accepts an arbitrary model name and exposes read/create/write/search functionality against any Odoo model not explicitly blocklisted. This exceeds the declared scope of the skill and creates a capability-expansion issue: a caller can interact with many sensitive business objects or custom models that were never intended to be reachable through this skill.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The helper functions `log_note` and `schedule_activity` introduce additional write capabilities beyond the manifest's stated read/create/update scope for business objects. These functions can modify records indirectly by posting messages and creating follow-up workflow items, which broadens the skill's effective permissions without clear disclosure or centralized policy checks.

Scope Creep

High
Confidence
96% confidence
Finding
`schedule_activity` performs writes on `mail.activity` and reads sensitive framework models such as `ir.model` and `ir.model.data`, none of which are within the declared resource set. Because it accepts an arbitrary target model and record ID, it can be used to create workflow artifacts across the Odoo instance, enabling unauthorized task injection, social engineering, or interference with records outside the intended business domains.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill advertises read/create/update operations for projects, but it also performs additional write-side actions by logging internal notes and scheduling activities. These operations change project history and can notify or assign other users, expanding the effective capability of the skill beyond its stated scope and increasing the chance of unintended side effects.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The create path accepts arbitrary JSON via --extra and merges it directly into vals, allowing callers to set undeclared Odoo fields. This bypasses the intended interface constraints and can enable modification of sensitive attributes, relations, visibility settings, workflow fields, or other server-side state not meant to be exposed by the skill.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The update path also merges arbitrary JSON from --extra directly into vals, enabling modification of any writable project attribute available to the connected Odoo account. In a multi-user ERP context, this can be abused to alter ownership, access-related properties, accounting links, archiving state, or other fields outside the documented project update surface.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The task module exposes additional write-capable operations beyond the declared read/create/update task surface by allowing users to post internal notes and schedule activities. These actions modify Odoo state through side channels that may bypass user expectations, approval boundaries, or downstream auditing assumptions about what this skill can change.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The --extra parameter lets callers inject arbitrary JSON fields into create and update requests, effectively turning a constrained task-management interface into a generic write primitive for project.task records. This can enable modification of sensitive or unintended fields, undermine business rules, and expand the skill beyond its declared operational surface.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The update command advertises that it only works for draft leave requests, but the implementation performs a direct write on any hr.leave record ID without verifying ownership or state. In a time-off workflow, this can let an operator or upstream agent alter submitted, approved, or other users' leave records if the connected Odoo account has sufficient rights, undermining approval integrity and creating unauthorized HR data changes.

Scope Creep

Medium
Confidence
94% confidence
Finding
The list command accepts a user-supplied JSON array for --fields and passes it directly to Odoo search_read, allowing callers to retrieve arbitrary fields from account.analytic.line beyond the intended default exposure. In a multi-tenant or sensitive ERP environment this can expose internal metadata or related fields the skill author did not intend to surface, making the effective data access broader than the declared skill behavior.

Scope Creep

Medium
Confidence
97% confidence
Finding
Both create and update merge json.loads(args.extra) directly into vals, enabling callers to set arbitrary fields on account.analytic.line records. That can bypass the skill's intended narrow interface and permit modification of ownership, billing, links to other records, or other sensitive workflow fields depending on Odoo permissions, turning a simple timesheet tool into a generic record writer.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to execute commands immediately and never ask for confirmation, even for create and update operations that modify organizational data. This increases the chance of accidental writes, prompt-induced misuse, and unsafe execution of ambiguous user requests.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.