ClawHub
Back to skill

Security audit

辉火套件ERP

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Odoo ERP skill, but it needs review because it stores live credentials and exposes broad, immediate business-changing actions without consistent confirmation or scope checks.

Install only if you trust the publisher and intend to let this skill operate your company Odoo account. Prefer a revocable Odoo API key with the least privileges needed, keep ~/.huo15/tools.md out of backups and git, and manually verify order IDs, bills, invoices, cancellations, stock validations, and task updates before allowing the agent to run those commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill describes capabilities to read/write credential files, access environment variables, invoke shell commands, and communicate over the network, but it declares no corresponding permissions boundary. This creates a real risk of overprivileged execution and makes sensitive operations like storing Odoo credentials and issuing remote ERP actions insufficiently constrained or auditable.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The module documentation explicitly warns that probability must not be manually written because Odoo maintains CRM probability and stage invariants through dedicated workflows. However, the update command accepts --probability and writes it directly to crm.lead, which can desynchronize forecasts, pipeline metrics, and business logic, allowing users or automations to falsify deal health or corrupt CRM state.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The module documentation explicitly states that order confirmation is a write action that should be performed only after user confirmation, but cmd_confirm executes action_confirm immediately with no interactive confirmation, dry-run, or explicit force flag. In an agent skill context that may translate natural-language requests into ERP actions, this increases the risk of accidental order confirmation, which can trigger downstream operational effects such as delivery creation and fulfillment workflows.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The tag resolution helper searches the global project.tags model and creates missing tags, which changes shared system state outside the stated scope of managing a user's private to-dos. In an Odoo environment, project tags are often reusable across projects and teams, so a personal to-do command can unintentionally create organization-visible metadata and expand the skill's effective write surface.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The done/reopen/cancel paths pass arbitrary project.task IDs directly into odoo.write without checking that each record belongs to the caller, is assigned to them, and matches the private to-do domain. If the authenticated Odoo account has broader write permissions, a user or upstream agent could change the state of unrelated tasks across projects, causing unauthorized workflow changes and data integrity issues.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The update command writes directly to any supplied task ID and can modify title, description, deadline, priority, and personal stage without verifying the record is the caller's own private to-do. In the context of an enterprise Odoo skill, this creates an authorization gap that may let an agent alter unrelated business tasks if the backing account has access.

Vague Triggers

High
Confidence
98% confidence
Finding
The trigger instructions intentionally activate on very broad work-related terms such as tasks, reminders, meetings, customers, sales, inventory, and even bare contextual mentions. That can cause the skill to run in conversations where the user did not intend ERP access, increasing the chance of collecting credentials, reading enterprise data, or performing state-changing actions in the company system without clear user intent.

Vague Triggers

Medium
Confidence
96% confidence
Finding
Many aliases are common everyday phrases such as '提醒我', '安排会议', '知识库', '待办事项', and '本周安排', which are likely to collide with normal speech. In this skill's context, those collisions are more dangerous because the skill can handle credentials, access corporate records, upload documents, and modify ERP objects once activated.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The function writes the Odoo secret to disk in plaintext inside tools.md and relies mainly on file mode 0600 for protection, but it does not present an explicit warning or confirmation at the moment the sensitive write occurs. In this skill context, the file stores live company-system credentials for Odoo access, so accidental persistence on shared machines, synced home directories, backups, or developer environments increases exposure risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The cancel command directly invokes Odoo's button_cancel on a purchase order with no interactive confirmation, dry-run, or explicit acknowledgement step at the point of action. In this skill's ERP context, cancellation is a real state-changing business operation that can disrupt procurement workflows, invalidate approvals, and cause operational or accounting mistakes if triggered accidentally or through ambiguous agent/user instruction.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The bill command immediately calls action_create_invoice to create a supplier invoice without warning or confirmation. In an Odoo purchasing workflow, invoice creation can trigger downstream financial processing, duplicate billing, or accounting inconsistencies, so allowing an agent to perform it from a single command increases the risk of accidental or manipulated write actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
cmd_cancel performs a destructive ERP state change immediately with no warning, confirmation, or safety interlock. In this company Odoo skill, cancellations can disrupt sales operations, customer commitments, and downstream documents, and an agent or user misunderstanding could cause unintended business impact even if no external attacker is involved.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal