The Agent Skills Directory

[SAFE]: The skill operates as a local static analysis tool. It includes several Python scripts (access_checker.py, route_auditor.py, sudo_finder.py) that examine Odoo source code for common security pitfalls. \n- [COMMAND_EXECUTION]: The orchestrator script (security_auditor.py) uses subprocess.run() to execute the sub-auditor scripts. These calls are implemented securely using list-based arguments and do not utilize shell=True, preventing command injection vulnerabilities from user-supplied module paths. This behavior is expected and safe for a multi-script auditing tool. \n- [DATA_EXFILTRATION]: No network operations or external data transfer mechanisms are present. The skill only performs read operations on local files within the user-specified module path to generate audit reports. \n- [INDIRECT_PROMPT_INJECTION]: While the skill ingests untrusted code from Odoo modules, it mitigates injection risks by using the Python ast module for parsing. This ensures the analyzed code is never executed. The ingestion point is the user-provided module path, and capabilities are limited to local file system access and internal script execution. \n- [NO_CODE]: Although the skill includes internal Python scripts, they are dedicated solely to the documented security auditing purpose and do not introduce hidden or malicious behaviors.

odoo-security