Openclaw Skill for Odoo

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Odoo connector, but it gives an agent broad power to change live business records without strong built-in approval or scope limits.

Install only if you intend to let the agent operate against Odoo. Use a dedicated least-privilege Odoo API user, test in a staging database first, require explicit human approval for create/update/delete/post/confirm/receive/publish actions, back up important data, and keep webhook or background polling disabled unless you deliberately configure and secure them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The module docstring states the component provides read-only access, but the implementation includes `publish_product` and `unpublish_product`, which perform state-changing writes to `product.template`. This mismatch can mislead reviewers, integrators, or policy engines into granting broader trust or permissions than intended, increasing the chance of unauthorized product publication changes in production.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README markets full business control and broad CRUD access over a live ERP without an explicit, prominent warning that user prompts can modify production records. In an agent context, this can normalize risky operation of the skill against real systems and increase the chance of accidental data creation, modification, or workflow changes by users who expect safer defaults.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The usage examples demonstrate state-changing operations such as creating quotations, leads, products, projects, employees, and expenses without adjacent cautionary guidance. For an LLM-driven connector, examples strongly shape expected behavior, so omission of warnings can lead users to issue destructive or production-impacting commands without understanding the consequences.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The documented fuzzy matching and automatic creation of missing customers and products materially raises the risk of unintended record creation, duplicate master data, and downstream business process errors. In an ERP context, silent or automatic creation is especially dangerous because small prompt ambiguities can propagate into sales, inventory, accounting, and reporting systems.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill is positioned as enabling autonomous control over large parts of an ERP and repeatedly showcases creation, confirmation, posting, and other state-changing actions without a clear upfront warning that user prompts can directly modify production business data. In an ERP context, silent data-changing behavior can lead to fraudulent transactions, accounting errors, inventory corruption, or HR record tampering if triggered accidentally or through prompt manipulation.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documented smart-action workflow performs fuzzy matching and automatically creates missing customers, products, projects, and other entities when no exact match is found, but it does not require explicit confirmation before writing new records. In an ERP system, this can easily produce wrong counterparties, duplicate master data, or unintended transactions from ambiguous natural-language input, amplifying both accidental misuse and prompt-injection-driven abuse.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The method can transition a manufacturing order to the final 'done' state and even directly write state-related fields without any explicit confirmation, safeguard, or policy check in this layer. In an agent skill context, this increases the chance of unintended irreversible ERP actions from ambiguous prompts, automation mistakes, or misuse of exposed tool capabilities, potentially affecting inventory, accounting, and production records.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The receive_products method automatically sets received quantities to the full ordered quantity and then validates stock pickings without any caller confirmation, approval gate, or safety checks on partial receipts and exceptions. In an ERP connector, this can directly alter inventory state and downstream accounting/procurement workflows, so misuse or accidental invocation can cause significant operational and financial integrity issues.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This handler performs state-changing ERP operations from fuzzy natural-language inputs and automatically creates missing partners, products, departments, and other records without an approval gate. In an agent setting, ambiguous or adversarial prompts can therefore cause unintended writes, data pollution, fraudulent business documents, or workflow side effects across sales, purchasing, HR, and calendar modules.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal