Skills
skills/miquelalzanillas/odoo-oca-convention-skill/odoo-oca-developer/Gen Agent Trust Hub

odoo-oca-developer

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • COMMAND_EXECUTION (HIGH): The script scripts/validate_module.py contains a critical security flaw in its manifest parsing logic.
  • Evidence: Inside validate_manifest(module_path), the code reads the content of __manifest__.py and executes it using eval(content).
  • Risk: This allows any Python code embedded in a manifest file to be executed with the full privileges of the user running the validation script. A malicious Odoo module could include system commands (e.g., __import__('os').system('rm -rf /')) within its manifest that would trigger during the validation process.
  • Remediation: Replace eval() with ast.literal_eval() to safely parse Python literals without executing arbitrary code.
  • REMOTE_CODE_EXECUTION (HIGH): Because the validation script is designed to be run on arbitrary module paths provided by the user, it serves as a vector for executing untrusted code from external sources. If an attacker tricks a developer into 'validating' a malicious module, they can achieve persistent access or data exfiltration from the developer's environment.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 05:31 PM