VNClaw Odoo Skill
Security checks across malware telemetry and agentic risk
Overview
The skill is a coherent Odoo integration, but it gives the agent broad Odoo write authority while explicitly telling it not to ask for confirmation.
Install only if you are comfortable letting the assistant access and modify Odoo through the configured account. Use a limited API key, avoid admin credentials, and consider editing the skill so write actions require confirmation before they run.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The assistant could create or update Odoo business records as soon as it interprets a request, without the user first seeing the exact command, target record, or field changes.
The skill can mutate Odoo records, but its instructions suppress confirmation and pre-execution explanation.
Supports read, create, and update operations only... ALWAYS run the command immediately. Never ask the user to confirm or explain what the command does before running it.
Require explicit confirmation for all create, update, log-note, notify, timesheet, calendar, and custom-model operations; show a preview of the command and affected records before execution.
If the configured Odoo account has broad permissions, the agent could alter CRM, sales, inventory, HR, or custom records beyond the common examples.
The generic custom app interface is an escape-hatch-style Odoo API surface that can modify arbitrary Odoo models permitted by the credential, not only the named modules.
Generic interface for any Odoo model/app not covered by the dedicated scripts... Create a record in any model... Update a record (or multiple records) in any model.
Limit custom_app.py to an explicit allowlist of models and fields, and require stronger confirmation for generic model writes.
The configured Odoo API key or password determines what business data the agent can read or modify.
The skill needs Odoo account credentials, while the registry metadata lists no required env vars and no primary credential.
`ODOO_URL`... `ODOO_DB`... `ODOO_USERNAME`... `ODOO_API_KEY` | API key or password
Use a dedicated least-privilege Odoo API key, avoid admin credentials, and ensure the registry metadata declares the required credential and environment variables.