The Agent Skills Directory

[COMMAND_EXECUTION]: The orchestration script scripts/security_auditor.py uses subprocess.run() to execute internal auditing scripts (access_checker.py, route_auditor.py, sudo_finder.py). This is a legitimate implementation for modular security tooling; the command is constructed safely as a list without shell execution (shell=True), preventing common command injection vectors.
[DATA_INGESTION]: The skill ingests untrusted data in the form of Odoo module source code (Python, XML, and CSV files) to perform its audit functions. While this creates an indirect prompt injection surface where malicious code comments could attempt to influence the agent's summary, the risk is minimal as the analysis is purely static and the behavior is fundamental to the skill's purpose as a code scanner.

odoo-security