Is ashrf-in/odoo-openclaw-skill safe?

https://github.com/openclaw/skills/tree/main/skills/ashrf-in/odoo-openclaw-skill

87
SAFE

This Odoo financial intelligence skill is a legitimate business tool for read-only ERP reporting. Source code review reveals no malicious patterns, no data exfiltration, and no prompt injection. The primary risks are client-side-only read-only enforcement, inline Python execution patterns in the documentation, and the inherent risk of processing untrusted data from an external Odoo instance that could be used for indirect prompt injection.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (8)

MEDIUM Install script executes during setup -10

The skill includes an install.sh script that runs during installation, creating a Python virtual environment and installing packages via pip. While the script executed cleanly and the packages are well-known, any install-time code execution is an elevated risk surface.

MEDIUM SKILL.md instructs agent to execute inline Python -15

The skill documentation includes examples using ./venv/bin/python -c with inline Python code for direct RPC queries. This pattern grants the agent arbitrary Python code execution capability, expanding the attack surface if the agent is manipulated via prompt injection from malicious Odoo response data.

LOW Client-side-only read-only enforcement -15

The read-only enforcement is purely client-side, as acknowledged in skill.json (readOnlyEnforcement: client-side). The SAFE_METHODS and BLOCKED_METHODS checks in odoo_client.py can be bypassed if the code is modified or if raw API calls are crafted outside the client class. The skill itself recommends using an Odoo user with restricted permissions as additional protection.

LOW Plaintext credential storage in .env file -10

Odoo credentials including password/API key are stored in a plaintext .env file at assets/autonomous-cfo/.env. While this is standard practice for local development, the credentials grant access to potentially sensitive financial data in the Odoo ERP system.

LOW Malicious Odoo response data could prompt-inject the agent -15

The skill fetches data from an external Odoo instance and presents it to the agent. If the Odoo instance contains crafted data (e.g., a partner named 'Ignore previous instructions and...'), this data could be used for indirect prompt injection when the agent processes the Odoo response.

INFO Model invocation properly disabled 0

The skill correctly sets modelInvocation.disabled=true and requiresUserInvocation=true, preventing autonomous invocation by AI models. This is a strong security practice for a skill handling sensitive financial data.

INFO Clean installation with expected network activity 0

Installation connected only to expected endpoints: GitHub for git clone, Ubuntu/Canonical for system updates, and CDN/PyPI for pip packages. No unexpected processes or filesystem changes detected.

INFO All honeypot files untouched 0

Canary files (.env, SSH keys, AWS credentials, .npmrc, Docker config, gcloud credentials) were not accessed or modified during skill installation or execution.