odoo-test
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [SAFE]: No malicious patterns or security vulnerabilities were detected. The skill is a legitimate developer tool designed for improving software quality in Odoo projects.
- [COMMAND_EXECUTION]: The script
scripts/test_runner.pyexecutes Odoo testing commands viasubprocess.Popen. This is an intended core feature for running test suites. The implementation follows security best practices by passing arguments as a list rather than a single string, which prevents shell injection vulnerabilities. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it ingests local codebase files to generate testing code. (1) Ingestion points: Odoo model files are read from the filesystem by
scripts/coverage_reporter.py,scripts/mock_data_factory.py, andscripts/test_generator.py. (2) Boundary markers: Absent; the scripts process the full content of source files provided in the module path. (3) Capability inventory: The skill can write new Python files to the filesystem (test_generator.py,mock_data_factory.py) and execute local processes (test_runner.py). (4) Sanitization: The scripts use the standardastmodule for structured parsing and Python'srepr()function for string interpolation, which effectively mitigates basic injection risks in the generated code.
Audit Metadata