Odoo Manager
WarnAudited by ClawScan on May 10, 2026.
Overview
This looks like a legitimate Odoo integration, but it gives the agent very broad ability to change or delete business data across Odoo models and databases.
Install only if you are comfortable letting the agent manage Odoo data. Use a restricted Odoo API user, test on staging first, verify the resolved URL and database before every write/delete/bulk action, and clear session context when finished.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad request could change or delete important CRM, sales, project, accounting, or configuration records in Odoo.
Generic CRUD through execute_kw can create, modify, or delete records on any accessible Odoo model, not just contacts. The provided artifacts do not show guardrails such as confirmation requirements, model allowlists, dry-runs, or rollback guidance for high-impact writes.
Supports generic CRUD operations on any model using execute_kw, with ready-made flows for res.partner and model introspection.
Use a least-privilege Odoo account, prefer staging first, and require explicit user confirmation plus a preview before any create, update, delete, or bulk operation.
A context mistake could cause bulk changes in the wrong Odoo database or client environment.
The skill is intended to switch between multiple Odoo databases and perform bulk updates. If the active context points to the wrong production or client database, a single bad operation could affect many records.
Travail sur Plusieurs Bases ... Comparer un contact ou une commande entre deux bases ... Mettre à jour en masse des enregistrements (par lots raisonnables).
Before any write or delete, have the agent display the resolved URL and database, confirm the intended target, and limit batch sizes with an audit trail.
If an administrator credential is used, the agent may be able to perform administrator-level actions in Odoo.
The skill requires Odoo credentials or an API key, which is expected for the integration, but those credentials inherit the full permissions of the configured Odoo user.
La clé API donne le même niveau d’accès que ton utilisateur. Protége-la comme un mot de passe.
Use a dedicated integration user with only the permissions needed, store secrets in environment variables or a vault, and rotate API keys regularly.
The agent may keep using a previously selected database or credential until the context is cleared.
The skill stores connection context, including possible password/API key values, for the current session. This is disclosed and reset behavior is documented, but stale or poisoned session context could be reused for later operations.
Set `user_*` (url, db, username, api_key/password) - Persist for the whole current session - Overridden only by `temporary_*` or by clearing `user_*`
Avoid storing high-privilege secrets in session context, verify the current context before sensitive operations, and clear the Odoo context after finishing a task.