← Back to Skills Marketplace
767
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install odoo-reporting
Description
Query Odoo data including salesperson performance, customer analytics, orders, invoices, CRM, accounting, VAT, inventory, and AR/AP. Generates WhatsApp cards...
Usage Guidance
Key things to check before installing or using this skill:
1) Do not provide admin credentials. Create a dedicated read-only Odoo user and an API key with minimal scope, and store that key in the skill's .env as recommended. Rotate the key after testing.
2) Confirm the platform/registry skill.json flags: SKILL.md claims model invocation is disabled (user-invocation only) but the registry metadata indicates autonomous invocation may be allowed — ask the publisher or registry maintainer which is authoritative. If autonomous invocation is enabled, do not supply credentials until you can enforce read-only access on the Odoo side.
3) Verify the registry metadata is updated to declare required env vars (ODOO_URL, ODOO_DB, ODOO_USER, ODOO_PASSWORD). Mismatched metadata reduces transparency and is a red flag.
4) Inspect src/connectors/odoo_client.py yourself (it enforces read-only by method name) and validate the blocking logic in your environment. Client-side checks can be bypassed if the files are modified, so rely on Odoo-side read-only permissions for safety.
5) Run the code in an isolated environment (VM/container) and test with a non-production Odoo instance or a dedicated read-only test user before connecting to production data. Monitor Odoo logs for unexpected calls.
6) If you need absolute assurance, request the publisher to provide a signed/verified package or a clear registry entry with explicit required env vars and a statement that the registry/platform will enforce modelInvocation disabled=true.
Overall: the skill appears to implement the stated functionality, but the metadata/instruction contradictions and client-side enforcement caveats make it suspicious until you reconcile those inconsistencies and follow the safety steps above.
Capability Analysis
Type: OpenClaw Skill
Name: odoo-reporting
Version: 2.0.7
The skill is classified as suspicious due to its reliance on client-side read-only enforcement for Odoo API interactions, as explicitly detailed in `SKILL.md`, `skill.json`, and `SECURITY.md`. While the code in `src/connectors/odoo_client.py` actively blocks mutating methods, this client-side control can be bypassed by a modified or compromised client, posing a vulnerability for unauthorized data modification in Odoo. Additionally, the `src/tools/cfo_cli.py` includes an `rpc-call` command allowing execution of arbitrary Odoo model methods, which, despite being subject to the same client-side read-only checks, represents a powerful and high-risk capability if those checks are circumvented.
Capability Assessment
Purpose & Capability
The implementation (connectors, reporters, visualizers) matches the described Odoo reporting purpose and legitimately requires Odoo credentials. However the registry metadata claims 'no required env vars' while SKILL.md and the code require ODOO_URL/ODOO_DB/ODOO_USER/ODOO_PASSWORD — a clear mismatch that must be resolved.
Instruction Scope
SKILL.md instructs local, read-only queries and storing credentials in a local .env; the code follows this (client-side read-only enforcement, local PDF/PNG/Excel outputs). Important limitation: the read-only enforcement is client-side (the author admits this) and can be bypassed if the client or files are modified. The install script also runs a 'doctor' test that will attempt to connect to the Odoo instance if a .env exists (expected, but be aware it will use provided credentials).
Install Mechanism
There is no registry install spec but the repository includes an install.sh, setup.py and a pinned requirements.txt; install.sh creates a venv and pip-installs dependencies (requests, matplotlib, pillow, fpdf2, openpyxl). No third-party binary downloads or obscure URLs are used — moderate risk typical for Python packages. The absence of an explicit install spec in the registry is an administrative inconsistency.
Credentials
The skill requires sensitive credentials (ODOO_PASSWORD/API key) to function, which is appropriate for an Odoo integrator — but the registry metadata declares no required env vars. That mismatch is problematic: if users rely on registry metadata they won't realize the skill needs secrets. The skill requests only Odoo credentials (no unrelated cloud credentials), which is proportionate, but the missing declaration is high-risk from a transparency standpoint.
Persistence & Privilege
SKILL.md and embedded skill.json block autonomous model invocation (disabled: true, requiresUserInvocation: true) but the registry-level flags show disable-model-invocation=false (default). This contradiction matters: if the platform honors the registry flag (allowing autonomous invocation) the skill could be invoked by models with access to Odoo credentials. always:false is good, but the invocation-flag mismatch increases blast radius and should be reconciled before trusting the skill.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install odoo-reporting - After installation, invoke the skill by name or use
/odoo-reporting - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.0.7
Version 2.0.7
- Improved documentation in SKILL.md, providing detailed guidance on required models, security, setup, and reporting practices.
- Enforced a strict read-only, user-invocation-only policy for all Odoo data queries.
- Expanded security section with clear setup instructions for API key usage, credential isolation, and local processing.
- Highlighted critical best practices: always clarify company, period, accounts, breakdowns, and output format before reporting.
- Added detailed explanation of Odoo reporting requirements, including correct handling of Chart of Accounts and equity calculation.
- Outlined all required environment variables and step-by-step installation instructions.
Metadata
Frequently Asked Questions
What is Odoo Reporting?
Query Odoo data including salesperson performance, customer analytics, orders, invoices, CRM, accounting, VAT, inventory, and AR/AP. Generates WhatsApp cards... It is an AI Agent Skill for Claude Code / OpenClaw, with 767 downloads so far.
How do I install Odoo Reporting?
Run "/install odoo-reporting" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Odoo Reporting free?
Yes, Odoo Reporting is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Odoo Reporting support?
Odoo Reporting is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Odoo Reporting?
It is built and maintained by ashrf-in (@ashrf-in); the current version is v2.0.7.
More Skills