ClawHub

Huo15 Huihuoyun Odoo

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Odoo/ERP connector, but it gives the agent broad authority over sensitive business systems and persistent automations, so it belongs in Review before installation.

Install only if you intentionally want an AI agent with broad ERP powers. Use per-user least-privilege Odoo accounts, avoid shared admin credentials, protect the OpenClaw config directory, disable unneeded background sync channels, and require human confirmation for payments, purchases, user/group changes, bulk edits, webhooks, report schedules, and outbound email.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (23)

Intent-Code Divergence

Medium
Confidence
72% confidence
Finding
The guide instructs the model to use an attachment function that is not listed among available tools, which creates ambiguity about how file upload/attachment is actually implemented. In practice, this can push an agent toward undeclared fallback behaviors or hidden tooling for file handling, increasing the risk of unauthorized file exfiltration, unsafe parsing, or inconsistent access control around attachments.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The declared skill purpose is a narrow 'implementation manager assistant', but the code exposes a much broader ERP super-interface including user creation, permissions inspection, metaprogramming, automation, webhooks, accounting, payroll, and multi-company administration. This scope mismatch is dangerous because downstream agents or users may trust the manifest and invoke the skill in contexts where these privileged capabilities were never expected or approved.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill includes generic primitives like arbitrary model search/read and broad write/update patterns that let an LLM operate over nearly any Odoo model, far beyond a constrained assistant workflow. In practice, this creates a confused-deputy risk where prompt injection, user coercion, or model mistakes can access or mutate sensitive business records not intended by the skill's stated purpose.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code exposes outbound automation and integration creation, including webhook and scheduled/report-style automation, which extend the skill from assistant behavior into persistence and external data exfiltration capability. That is risky because it allows long-lived side effects and outbound communication channels unrelated to ordinary implementation-assistant tasks.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The comment claims inbound channel replies are written back as internal activity, but the implementation later creates a normal chatter comment message with subtype mail.mt_comment. This mismatch is dangerous because operators may assume replies remain internal, while the actual message type can notify followers or become visible more broadly than intended.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The baseline initialization reads the latest mail.message record globally using only message_type filtering, with no user, partner, follower, or access-scope constraint. In a multi-user ERP assistant that claims sender-isolated access, this can establish state from other users' messages and is a strong indicator that later notifications may expose unrelated business communications.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The incremental message poll fetches every new mail.message with id greater than the high-water mark, without restricting results to the current user. That can deliver newly created messages from unrelated records, customers, or internal teams to the callback, causing cross-user data leakage of message bodies and metadata.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The baseline email notification query reads mail.notification records filtered only by notification_type, not by the authenticated recipient. mail.notification is inherently recipient-oriented, so omitting a recipient/user filter risks polling and notifying another employee's inbox events, which can expose sensitive workflow and message metadata.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The calendar baseline query scans upcoming calendar.event records by date range only, without attendee, organizer, or ownership filtering. In shared ERP/groupware deployments, this can enumerate other users' meetings and seed the poller to later notify about events outside the requesting user's scope.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The scheduled report feature creates `ir.actions.server` records with `state='code'` and embeds Python source into Odoo, then wires that code to recurring `ir.cron` jobs. That turns a natural-language ERP assistant into a server-side code deployment and persistence mechanism, which is far beyond normal business operations and can be abused for arbitrary privileged automation, data exfiltration, or durable backdoors.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The client can create users, assign permission groups, link employees, and enumerate user groups. In an NL assistant context this expands the blast radius from ordinary ERP actions to identity and privilege administration, enabling privilege escalation, unauthorized account creation, or persistence if the assistant is prompted or misused.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Studio metaprogramming allows the assistant to create custom models and fields dynamically in the production ERP. Even without raw code execution, schema mutation can bypass intended governance, introduce unsafe data paths, expose sensitive fields, or create durable attack surface inconsistent with a normal assistant's stated purpose.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase “帮我连接公司系统” is broad and plausibly overlaps with ordinary user requests for help. In an agent environment, this can cause unintended invocation of a privileged ERP-connection workflow, increasing the chance of users being prompted for credentials or starting sensitive operations when they did not explicitly intend to use this skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README states that system URL, username, and password are saved and automatically restored, and that background polling continues, but it does not clearly warn users about credential persistence, notification behavior, or local storage risks. In a business ERP context, this can expose highly sensitive corporate data and lead users to disclose credentials without informed consent.

Vague Triggers

Medium
Confidence
78% confidence
Finding
Very broad natural-language activation phrases for an ERP skill can cause unintended execution of sensitive actions from casual conversation or ambiguous requests. Because this plugin can create or modify business records, weak activation boundaries raise the risk of accidental data changes, unauthorized actions, or prompt-triggered misuse in multi-user chat environments.

Vague Triggers

Medium
Confidence
81% confidence
Finding
Examples like '帮我写个待办' or '安排一个会议' are overly generic for a skill that can create records in enterprise systems. In chat-based contexts, such broad triggers make accidental or manipulated invocation more likely, especially when the agent is expected to infer missing fields and proceed with follow-up actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documents continuous background polling for tasks, activities, messages, email, and calendar events but does not prominently warn users that ongoing access continues after setup. In an enterprise environment, silent background synchronization can expose sensitive business data, surprise users about retention/access patterns, and increase privacy risk if credentials or shared configurations are misused.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The manifest explicitly requires long-lived Odoo credentials (username and password) and also defines background notification syncing with syncing enabled by default. Even though collecting credentials is expected for an ERP integration, the lack of any user-facing disclosure about credential storage, background polling, and ongoing transmission increases the risk of users unknowingly granting persistent access to sensitive enterprise data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code persists full mutation entries to a JSON file under the user's home directory, including pre-change snapshots and new values. In an ERP context, those snapshots can contain sensitive business or personal data, and there is no access control, redaction, encryption, or retention protection visible here, so local disclosure or unintended reuse of sensitive records is plausible.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
`sendEmail` can immediately send outbound email to arbitrary recipients with optional CC/BCC and attachments, but there is no built-in confirmation or user-warning boundary in this client. In an agent setting, this creates risk of prompt-induced data leakage, phishing, accidental disclosure, or irreversible external communication.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
`sendEmailFromTemplate` defaults `force_send` to true, causing immediate delivery through templates without a confirmation gate. Template use does not eliminate risk because templates can still target external recipients and include sensitive record data, making accidental or manipulated sends hard to reverse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The webhook creation path accepts arbitrary external URLs and provisions both a server action and automation that can exfiltrate record data whenever records change. In this skill context, that creates an outbound data transfer channel and durable trigger mechanism without meaningful user-facing friction or destination validation.

Missing User Warnings

High
Confidence
98% confidence
Finding
This feature schedules recurring jobs and injects executable server-side Python while presenting itself as report email automation. The combination of persistence, arbitrary code execution, and no strong user-warning/approval boundary makes it especially dangerous in an LLM-operated assistant because a prompt can translate directly into durable privileged behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal