Is ashrf-in/odoo-reporting safe?

https://github.com/openclaw/skills/tree/main/skills/ashrf-in/odoo-reporting

88
SAFE

The ashrf-in/odoo-reporting skill is a well-structured Python-based Odoo financial reporting tool with no evidence of malicious behavior, prompt injection, or active data exfiltration. The install was clean, canary files were untouched, and network activity was limited to expected GitHub connections. The primary concerns are the unaudited install.sh script, dead write-path scaffolding in the RPC client suggesting prior write access intent, and inherent sensitivity of the Odoo credentials that are loaded into the process environment.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 83/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (7)

MEDIUM install.sh content unverified -10

The skill ships an install.sh script that is invoked manually during setup. Its content was not captured in the audit evidence. Malicious logic in this script would execute with user privileges at install time and would not be visible in the clone-phase monitoring window.

MEDIUM Dead mutation payload-mapping code in execute_kw -7

The execute_kw() method in odoo_client.py, under the json2 RPC backend branch, contains elif clauses that build request payloads for create, write, and unlink operations — all of which are blocked by _assert_read_only_method. This dead code is unreachable but indicates the developer implemented write scaffolding. If the method whitelist is ever relaxed or patched by a compromised update, the write paths would activate without further code changes.

MEDIUM Odoo credentials loaded into process environment -8

ODOO_PASSWORD (API key or plaintext password) is loaded from .env into os.environ by runtime_env.py and later transmitted as an HTTP Authorization Bearer header. Any other code running in the same process, including other skills or agent tools, could read this environment variable. The skill correctly never logs or displays the credential, but env-based credential storage is inherently accessible to the full agent process.

LOW Client-side-only read-only enforcement -5

The skill honestly documents that its read-only enforcement is client-side only and can be bypassed by a modified or compromised client. The three explicit PermissionError-raising methods (create, write, unlink) and the _assert_read_only_method whitelist provide overlapping protections, but neither prevents a future skill update from removing these guards.

LOW Prescriptive behavioral rules constrain user agency -12

SKILL.md contains directives that instruct the agent to perform actions without asking the user ('Never ask do you want charts — just add them', 'Always include visualizations'). While harmless for a charting tool, this pattern of embedding unconditional behavioral mandates in skill prompts is a mild anti-pattern that reduces user control.

INFO GitHub network connection during install is expected 0

Outbound TCP to 140.82.114.3:443 (GitHub) was observed during installation. This is the expected behavior for git clone --depth 1 of the openclaw/skills monorepo. No connections to attacker-controlled infrastructure were observed.

INFO All honeypot files intact 0

Canary files (fake .env, SSH keys, AWS credentials) were not accessed or read by any process attributable to the skill installation or code.