odoo-dev-assistant

SUSPICIOUS. The skill mostly aligns with Odoo admin/dev work and uses official Odoo/PostgreSQL tooling for the core database actions, so it is not fundamentally incompatible with its stated purpose. However, it is over-broad, includes credential exposure by instructing the agent to read and directly report db_password from odoo.conf, and adds an unpinned third-party npx package for HTML conversion. The main risk is privileged local admin activity plus unnecessary secret disclosure, not clear malware or external exfiltration.