Clawhub Package Full
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Odoo connector, but it needs review because it can use an Odoo API key to make broad ERP changes across finance, HR, inventory, sales, and public website data without clearly declared credential and safety boundaries.
Install only if you intend to let OpenClaw operate your Odoo ERP. Use a dedicated least-privilege Odoo API user, test in a sandbox first, require confirmation for financial/HR/public/destructive actions, configure webhook secrets if enabled, and monitor Odoo audit logs.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overbroad agent action could change or delete business records, including sales, purchasing, HR, inventory, invoices, or website product state.
The client exposes a raw Odoo XML-RPC passthrough for arbitrary models and methods, and the same file also provides generic create/write/unlink helpers. For an ERP system, this is powerful mutation authority unless tightly scoped and confirmed.
def execute(... model: str, method: str, *args: Any, **kwargs: Any) -> Any: ... self.models.execute_kw(... model, method, list(args), kwargs if kwargs else {})Use a least-privilege Odoo API user, restrict allowed models/actions, and require explicit user confirmation for write, delete, post, approve, confirm, publish, or other irreversible operations.
The skill will act with whatever permissions the configured Odoo user has, which may include sensitive financial, employee, customer, and operational data.
The code requires an Odoo API key, but the supplied registry metadata declares no required environment variables and no primary credential. That under-declares delegated access to a business account.
if not self.api_key:
errors.append("ODOO_API_KEY is required (generate in Odoo → Preferences → Account Security)")Create a dedicated Odoo API user with only the modules and actions needed, declare the credential requirement clearly, and avoid using administrator credentials.
An incorrect match or incomplete request could propagate into orders, products, invoices, HR records, manufacturing records, or public eCommerce changes.
Fuzzy matching and auto-creation across many ERP modules can turn a misunderstood natural-language request into multiple linked business records or workflow changes.
enabling autonomous, chat-driven control over 153+ business modules ... All operations use smart actions that handle fuzzy matching and auto-creation workflows.
Require preview-and-confirm workflows for smart actions, show matched records before acting, and keep backups/audit logs for all ERP mutations.
If webhook functionality is enabled without a strong secret, incoming event origin and integrity may be harder to verify.
The configuration supports inbound webhook handling and an HMAC secret, but the default secret is empty. The provided artifacts do not show that the webhook starts automatically, so this is a configuration note rather than evidence of active unsafe behavior.
webhook_port: int = 8069
webhook_secret: str = ""Set a strong ODOO_WEBHOOK_SECRET before enabling webhooks, restrict the listening interface where possible, and verify webhook authentication behavior.