← Back to Skills Marketplace

Odoo Assistant Store Manager

Name: Odoo Assistant Store Manager
Author: crbwi

by Juan de la cruz Garrido Rodríguez · GitHub ↗ · v1.0.1 · MIT-0

cross-platform ⚠ suspicious

419

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install odoo-assistant-manager

Description

Odoo ERP via XML-RPC — sales, web orders, stock, products (CLI). Optional Discuss listener.

Usage Guidance

This skill appears to implement an Odoo CLI and an optional Discuss listener; functionally coherent but exercise caution before enabling the listener. Before installing or running: 1) Fix the metadata mismatch — ensure the registry lists the required env vars (ODOO_URL/DB/USER/PASSWORD) so you don’t accidentally publish or run without secrets configured. 2) Do NOT run the listener in production unless you explicitly want a long‑running bot that polls Odoo Discuss; test it in a staging environment first. 3) Consider network controls for the runtime ( e.g., block requests to internal IP ranges / metadata endpoints ) because the skill will fetch URLs supplied via messages or product fields (SSRF risk). 4) Run with least-privilege Odoo credentials (avoid admin/root DB user) and rotate keys if re-used. 5) Review the full code locally (already included) and run tests in an isolated environment. If you don’t need automated polling and external-URL scraping, use only the CLI (odoo_manager.py) and avoid setting ODOO_BOT_PARTNER_ID.

Capability Analysis

Type: OpenClaw Skill Name: odoo-assistant-manager Version: 1.0.1 The skill bundle provides a functional Odoo ERP management system, but contains high-risk architectural patterns. Specifically, `src/odoo_listener.py` implements a polling loop that monitors Odoo Discuss messages and executes subprocesses via `odoo_manager.py` based on chat input; while it uses `shlex.quote` for sanitization, this remains a significant attack surface for command injection. Additionally, both `src/odoo_listener.py` and `src/odoo_manager.py` perform unvalidated HTTP requests to user-provided URLs (via `requests.get` and `urllib.request.urlopen`) to scrape metadata and download images, which introduces a Server-Side Request Forgery (SSRF) vulnerability. Although these behaviors align with the stated purpose of the tool and no clear malicious intent was found, the combination of remote-triggered execution and SSRF risks warrants a suspicious classification.

Capability Assessment

ℹ Purpose & Capability

The code and environment variables in skill.json / README match the stated purpose (Odoo XML-RPC operations). However the registry metadata provided to you earlier claims no required env vars and the SKILL.md calls this 'instruction-only' despite two substantial Python modules being included; those mismatches are incoherent and should be fixed in the registry before publishing.

⚠ Instruction Scope

SKILL.md instructs the agent to run local scripts and only run the optional listener on explicit request, which is appropriate. The listener (src/odoo_listener.py) fetches arbitrary URLs (requests / urllib) and scrapes HTML, and it constructs and runs odoo_manager commands based on Discuss messages. This enables server-side fetching of attacker-controlled URLs (SSRF / internal-network probing) and causes the runtime to execute manager commands derived from external input. While subprocess is invoked without a shell (reducing classic shell-injection), arguments from untrusted messages can still trigger operations (e.g., downloading images, contacting arbitrary endpoints or performing updates).

✓ Install Mechanism

No install spec is provided (lowest install risk). requirements.txt contains only 'requests', which is consistent with the listener. There is no external archive download or unknown install host.

ℹ Credentials

The required environment variables in skill.json (ODOO_URL, ODOO_DB, ODOO_USER, ODOO_PASSWORD) are appropriate and expected for an Odoo integration. The inconsistency is that the registry metadata shown to you earlier listed 'Required env vars: none' — that mismatch is a red flag for publishing/metadata hygiene and could lead to accidental deployment without needed secrets or with defaults. Optional vars (BOT partner id, category IDs) are reasonable.

ℹ Persistence & Privilege

The skill does not request 'always: true' and will not be force-included. The only higher-privilege behavior is the optional long-running listener, which the SKILL.md and README explicitly mark as 'privileged' and say to run only if requested. Because the listener polls Odoo and can run manager commands autonomously when enabled, it increases blast radius if activated—so it should be started only with deliberate user consent and in controlled environments.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install odoo-assistant-manager
After installation, invoke the skill by name or use /odoo-assistant-manager
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.1

**Odoo Assistant Manager 1.1.0 — Feature expansion and clarified usage** - Expanded supported commands: new helpers for order details, event registrations, and Odoo Discuss (optional listener). - Refined command syntax with consistent reference/alias options for stock updates. - Clarified instructions on terminal usage, path requirements, environment variables, and Odoo-specific IDs. - Updated rules: - Agent must not invent API responses; always run the script. - On error, only report messages and advise on variable checks; agent will not edit `.env` files unless explicitly told. - Removal of mandatory notes on editing workspace identity files; TOOLS/SOUL integration is now optional and user-driven.

v1.0.0

Odoo Store Manager initial release. - Manage Odoo store sales, orders, and inventory via command-line script. -Automatic create products from an url or searching on internet, auto catch the price, image, pvp, etc and create the product. - Check sales/orders, search stock, and update product quantities using terminal commands. - Provides clear instructions and use cases for each core command. - Includes initialization workflow with steps for memory/tool integration and cheat sheet creation. - Emphasizes user feedback, error handling, and integration confirmation.

Metadata

Slug odoo-assistant-manager

Version 1.0.1

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 2

Frequently Asked Questions

What is Odoo Assistant Store Manager?

Odoo ERP via XML-RPC — sales, web orders, stock, products (CLI). Optional Discuss listener. It is an AI Agent Skill for Claude Code / OpenClaw, with 419 downloads so far.

How do I install Odoo Assistant Store Manager?

Run "/install odoo-assistant-manager" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Odoo Assistant Store Manager free?

Yes, Odoo Assistant Store Manager is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Odoo Assistant Store Manager support?

Odoo Assistant Store Manager is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Odoo Assistant Store Manager?

It is built and maintained by Juan de la cruz Garrido Rodríguez (@crbwi); the current version is v1.0.1.

More Skills