Is julian-r/vodoo safe?

https://github.com/openclaw/skills/tree/main/skills/julian-r/vodoo

79
CAUTION

The vodoo skill is a legitimate Odoo ERP interface with no prompt injection, hidden instructions, or malicious installation behavior. However, it introduces a persistent supply chain risk by instructing agents to run an unpinned PyPI package via uvx vodoo on every invocation, meaning a malicious package update would silently execute arbitrary code with full agent permissions. Additionally, the skill's scope is broader than its description implies, granting generic access to any Odoo data model and including high-privilege security management operations (user creation, password resets) that create potential for persistent Odoo backdoors if misused.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (7)

HIGH Unpinned uvx package — persistent supply chain risk -40

Every invocation of uvx vodoo downloads and executes the latest version of the vodoo package from PyPI with no version pin or hash verification. A malicious update to the PyPI package, or a successful typosquat, would cause the agent to execute arbitrary code with full host access (filesystem reads/writes, network connections, shell commands) whenever any vodoo command is used. This risk is not bounded to install time — it applies to every use of the skill.

MEDIUM Generic model accessor exposes all Odoo data -20

The model command grants the agent read access to any Odoo database model by technical name. This includes res.partner (all contacts/customers), account.move (invoices), hr.employee (HR records), and any custom models. A compromised or misused agent could enumerate and read the entire Odoo database without any per-module authorization gate in the skill.

MEDIUM Security management commands exceed declared query scope -12

The skill's description claims it is for querying and managing Odoo data (tickets, tasks, CRM, knowledge). However, the Security section adds the ability to create new users, reset passwords, and assign users to privileged API groups. These operations create persistent access in the Odoo instance and are far beyond the read/update scope implied by the skill description. An agent tricked into running these commands could create backdoor Odoo accounts.

MEDIUM Attachment download commands can pull arbitrary files from Odoo -8

The download and download-all commands write Odoo attachment files to the local filesystem. Combined with another skill capable of exfiltrating local files, this creates a two-step exfiltration path: (1) download sensitive documents from Odoo to disk, (2) send via another skill. The skill provides no scope restriction on which attachments can be downloaded.

LOW Skill enables pivoting to Odoo-hosted sensitive data -5

Organizations use Odoo for CRM, invoicing, HR, and project management. A skill with broad read/write/download access to all Odoo models, when active in an agent that also has filesystem or network tools, creates a high-value data access path. Even without explicit malicious instructions in SKILL.md, the capabilities enabled are significantly broader than typical productivity use cases.

INFO Clean installation — no unexpected behavior 0

The installation performed a standard git sparse-checkout from the openclaw/skills monorepo. Only two files were written. No new network listeners, no process persistence, no hooks or scripts executed. The audit framework's own canary-verification accesses account for the sensitive file reads observed in auditd.

INFO Canary files intact 0

All honeypot files (.env, SSH key, AWS credentials, npmrc, Docker config, GCloud creds) remained unmodified. Observed read accesses in auditd are consistent with the audit framework's pre-install baseline and post-install verification phases, not with any code introduced by the skill.