by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
Key things to check before installing or using this skill:
1) Do not provide admin credentials. Create a dedicated read-only Odoo user and an API key with minimal scope, and store that key in the skill's .env as recommended. Rotate the key after testing.
2) Confirm the platform/registry skill.json flags: SKILL.md claims model invocation is disabled (user-invocation only) but the registry metadata indicates autonomous invocation may be allowed — ask the publisher or registry maintainer which is ...详细分析 ▾
ℹ 用途与能力
The implementation (connectors, reporters, visualizers) matches the described Odoo reporting purpose and legitimately requires Odoo credentials. However the registry metadata claims 'no required env vars' while SKILL.md and the code require ODOO_URL/ODOO_DB/ODOO_USER/ODOO_PASSWORD — a clear mismatch that must be resolved.
ℹ 指令范围
SKILL.md instructs local, read-only queries and storing credentials in a local .env; the code follows this (client-side read-only enforcement, local PDF/PNG/Excel outputs). Important limitation: the read-only enforcement is client-side (the author admits this) and can be bypassed if the client or files are modified. The install script also runs a 'doctor' test that will attempt to connect to the Odoo instance if a .env exists (expected, but be aware it will use provided credentials).
ℹ 安装机制
There is no registry install spec but the repository includes an install.sh, setup.py and a pinned requirements.txt; install.sh creates a venv and pip-installs dependencies (requests, matplotlib, pillow, fpdf2, openpyxl). No third-party binary downloads or obscure URLs are used — moderate risk typical for Python packages. The absence of an explicit install spec in the registry is an administrative inconsistency.
⚠ 凭证需求
The skill requires sensitive credentials (ODOO_PASSWORD/API key) to function, which is appropriate for an Odoo integrator — but the registry metadata declares no required env vars. That mismatch is problematic: if users rely on registry metadata they won't realize the skill needs secrets. The skill requests only Odoo credentials (no unrelated cloud credentials), which is proportionate, but the missing declaration is high-risk from a transparency standpoint.
⚠ 持久化与权限
SKILL.md and embedded skill.json block autonomous model invocation (disabled: true, requiresUserInvocation: true) but the registry-level flags show disable-model-invocation=false (default). This contradiction matters: if the platform honors the registry flag (allowing autonomous invocation) the skill could be invoked by models with access to Odoo credentials. always:false is good, but the invocation-flag mismatch increases blast radius and should be reconciled before trusting the skill.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv2.0.72026/2/17
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install odoo-reporting
镜像加速npx clawhub@latest install odoo-reporting --registry https://cn.longxiaskill.com