Odoo JSON2 Operator
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is purpose-aligned for Odoo automation, but it ships with and stores Odoo API keys in local profiles, including a live-looking bundled credential.
Do not use this skill as-is with production Odoo data. Remove the bundled connections.json credential, rotate the exposed key, and only use your own least-privilege Odoo API key with explicit confirmation for any write or delete operation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or invoking the skill could cause the agent to act through a preloaded Odoo account rather than only a user-provided account, and the bundled key may be exposed to anyone who can read the skill files.
A non-placeholder Odoo host, database, and bearer API key are bundled with the skill even though the registry metadata declares no primary credential.
"odoo19c": { "base_url": "https://odoo19c.ylhctec.com", "database": "odoo19c", "api_key": "514b11fd...<redacted>" }Remove the bundled profile, revoke or rotate the exposed API key, and require users to provide their own least-privilege Odoo credentials through a declared credential mechanism.
A saved profile could be reused later without the user realizing which Odoo system or credential is being used.
The skill intentionally stores sensitive connection state and reuses it across sessions, which can expose API keys and may make later tasks operate against a stale, unintended, or tampered profile.
Persist successful connections locally as named profiles containing `base_url`, `database`, and `api_key`. Reuse saved profile by default in later turns
Store secrets in a secure credential store, require explicit profile selection for high-impact operations, and provide clear controls to list, update, and delete saved profiles.
Users may provide API keys believing they will not be saved, when the skill is designed to save them locally.
The skill gives contradictory safety guidance about API key persistence, while the included code/profile artifacts show API keys are stored in files.
Persist successful connections locally as named profiles containing `base_url`, `database`, and `api_key` ... Never log or persist API keys in files
Make the documentation match the implementation: either stop persisting API keys or clearly disclose plaintext/local persistence and its risks.
A mistaken request, wrong profile, or overly broad payload could change important Odoo business data.
The broad Odoo operation surface is disclosed and purpose-aligned, but it can modify or delete business records and run custom server-side methods.
query or mutate Odoo data (search, read, create, write, unlink, or custom model methods)
Use least-privilege API keys, preview matching records, and require explicit user confirmation before create, write, unlink, or custom mutation methods.