← 返回 Skills 市场
crbwi

Odoo Assistant Store Manager

作者 Juan de la cruz Garrido Rodríguez · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ⚠ suspicious
419
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install odoo-assistant-manager
功能描述
Odoo ERP via XML-RPC — sales, web orders, stock, products (CLI). Optional Discuss listener.
安全使用建议
This skill appears to implement an Odoo CLI and an optional Discuss listener; functionally coherent but exercise caution before enabling the listener. Before installing or running: 1) Fix the metadata mismatch — ensure the registry lists the required env vars (ODOO_URL/DB/USER/PASSWORD) so you don’t accidentally publish or run without secrets configured. 2) Do NOT run the listener in production unless you explicitly want a long‑running bot that polls Odoo Discuss; test it in a staging environment first. 3) Consider network controls for the runtime ( e.g., block requests to internal IP ranges / metadata endpoints ) because the skill will fetch URLs supplied via messages or product fields (SSRF risk). 4) Run with least-privilege Odoo credentials (avoid admin/root DB user) and rotate keys if re-used. 5) Review the full code locally (already included) and run tests in an isolated environment. If you don’t need automated polling and external-URL scraping, use only the CLI (odoo_manager.py) and avoid setting ODOO_BOT_PARTNER_ID.
功能分析
Type: OpenClaw Skill Name: odoo-assistant-manager Version: 1.0.1 The skill bundle provides a functional Odoo ERP management system, but contains high-risk architectural patterns. Specifically, `src/odoo_listener.py` implements a polling loop that monitors Odoo Discuss messages and executes subprocesses via `odoo_manager.py` based on chat input; while it uses `shlex.quote` for sanitization, this remains a significant attack surface for command injection. Additionally, both `src/odoo_listener.py` and `src/odoo_manager.py` perform unvalidated HTTP requests to user-provided URLs (via `requests.get` and `urllib.request.urlopen`) to scrape metadata and download images, which introduces a Server-Side Request Forgery (SSRF) vulnerability. Although these behaviors align with the stated purpose of the tool and no clear malicious intent was found, the combination of remote-triggered execution and SSRF risks warrants a suspicious classification.
能力评估
Purpose & Capability
The code and environment variables in skill.json / README match the stated purpose (Odoo XML-RPC operations). However the registry metadata provided to you earlier claims no required env vars and the SKILL.md calls this 'instruction-only' despite two substantial Python modules being included; those mismatches are incoherent and should be fixed in the registry before publishing.
Instruction Scope
SKILL.md instructs the agent to run local scripts and only run the optional listener on explicit request, which is appropriate. The listener (src/odoo_listener.py) fetches arbitrary URLs (requests / urllib) and scrapes HTML, and it constructs and runs odoo_manager commands based on Discuss messages. This enables server-side fetching of attacker-controlled URLs (SSRF / internal-network probing) and causes the runtime to execute manager commands derived from external input. While subprocess is invoked without a shell (reducing classic shell-injection), arguments from untrusted messages can still trigger operations (e.g., downloading images, contacting arbitrary endpoints or performing updates).
Install Mechanism
No install spec is provided (lowest install risk). requirements.txt contains only 'requests', which is consistent with the listener. There is no external archive download or unknown install host.
Credentials
The required environment variables in skill.json (ODOO_URL, ODOO_DB, ODOO_USER, ODOO_PASSWORD) are appropriate and expected for an Odoo integration. The inconsistency is that the registry metadata shown to you earlier listed 'Required env vars: none' — that mismatch is a red flag for publishing/metadata hygiene and could lead to accidental deployment without needed secrets or with defaults. Optional vars (BOT partner id, category IDs) are reasonable.
Persistence & Privilege
The skill does not request 'always: true' and will not be force-included. The only higher-privilege behavior is the optional long-running listener, which the SKILL.md and README explicitly mark as 'privileged' and say to run only if requested. Because the listener polls Odoo and can run manager commands autonomously when enabled, it increases blast radius if activated—so it should be started only with deliberate user consent and in controlled environments.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install odoo-assistant-manager
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /odoo-assistant-manager 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
**Odoo Assistant Manager 1.1.0 — Feature expansion and clarified usage** - Expanded supported commands: new helpers for order details, event registrations, and Odoo Discuss (optional listener). - Refined command syntax with consistent reference/alias options for stock updates. - Clarified instructions on terminal usage, path requirements, environment variables, and Odoo-specific IDs. - Updated rules: - Agent must not invent API responses; always run the script. - On error, only report messages and advise on variable checks; agent will not edit `.env` files unless explicitly told. - Removal of mandatory notes on editing workspace identity files; TOOLS/SOUL integration is now optional and user-driven.
v1.0.0
Odoo Store Manager initial release. - Manage Odoo store sales, orders, and inventory via command-line script. -Automatic create products from an url or searching on internet, auto catch the price, image, pvp, etc and create the product. - Check sales/orders, search stock, and update product quantities using terminal commands. - Provides clear instructions and use cases for each core command. - Includes initialization workflow with steps for memory/tool integration and cheat sheet creation. - Emphasizes user feedback, error handling, and integration confirmation.
元数据
Slug odoo-assistant-manager
版本 1.0.1
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 2
常见问题

Odoo Assistant Store Manager 是什么?

Odoo ERP via XML-RPC — sales, web orders, stock, products (CLI). Optional Discuss listener. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 419 次。

如何安装 Odoo Assistant Store Manager?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install odoo-assistant-manager」即可一键安装,无需额外配置。

Odoo Assistant Store Manager 是免费的吗?

是的,Odoo Assistant Store Manager 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Odoo Assistant Store Manager 支持哪些平台?

Odoo Assistant Store Manager 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Odoo Assistant Store Manager?

由 Juan de la cruz Garrido Rodríguez(@crbwi)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论