Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Openclaw Odoo Skill
v1.0.0Build or use the Odoo ERP connector for OpenClaw (Sales, CRM, Purchase, Inventory, Projects, HR, Fleet, Manufacturing integration via XML-RPC).
⭐ 0· 186·0 current·0 all-time
by@hjrhjr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, README, and SKILL.md consistently describe an Odoo ERP connector and the included Python modules implement that functionality (XML-RPC client, model ops, smart actions, webhook/poller). However the registry metadata claims no required environment variables or primary credential, which contradicts the code and README that require ODOO_URL, ODOO_DB, ODOO_USERNAME, and ODOO_API_KEY (or a config.json). This mismatch between declared requirements and actual code is an incoherence that should be resolved.
Instruction Scope
SKILL.md and README focus on Odoo operations only (create orders, invoices, employees, etc.), which matches the code. But runtime code (odoo.py and odoo_skill/config.py) reads configuration from config.json and environment variables (ODOO_*), and the package includes a webhook server and background poller for real-time sync. Those runtime behaviors (reading local config file, env vars, and potentially opening an HTTP port) are not reflected in the registry's declared requirements and broaden the scope of what will run when the skill is used.
Install Mechanism
There is no install spec in the registry (instruction-only), but the bundle contains full source, package.json, requirements.txt, setup scripts and tests. No high-risk remote downloads or URL shorteners are present; install paths described are normal (ClawHub or manual copy). Because code will be copied to disk and executed, users should review source and run in a controlled environment.
Credentials
The skill actually requires sensitive credentials (ODOO_API_KEY, ODOO_USERNAME, ODOO_DB, ODOO_URL) and may use ODOO_WEBHOOK_SECRET; yet the registry lists no required env vars and no primary credential. Requesting full Odoo API credentials is proportionate to an ERP connector, but hiding that fact in the registry metadata is a red flag (metadata underdeclares privileges).
Persistence & Privilege
The skill is not marked always:true and does not claim to modify other skills or system-wide settings. It can be invoked autonomously (default), which is expected. Note: the included webhook server and poller imply potential long-running network listeners/background activity if the user enables those features — they do not require 'always:true' but do expose a network surface.
What to consider before installing
This package looks like a legitimate Odoo connector, but the registry metadata is incomplete: the code expects ODOO_URL, ODOO_DB, ODOO_USERNAME and ODOO_API_KEY (or config.json) and can run a webhook/poller that opens an HTTP port. Before installing: 1) Review the config.json.template and the code (especially sync/webhook.py and poller) to understand any network listeners. 2) Do not supply production admin API keys during initial tests — create a limited-permission test user in Odoo and a test database. 3) Run the skill in an isolated environment (container or VM). 4) If you enable webhooks, confirm webhook_secret and firewall rules; avoid exposing sensitive ports publicly. 5) Ask the skill author or registry owner to update the metadata to declare required env vars/credentials so the permission surface is explicit. If you want, I can point to the specific files/lines that read env vars and start the webhook server.Like a lobster shell, security has layers — review code before you run it.
latestvk97616kqbapd1mt1s2her6s4td82ta1p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.