odoo-service

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes commands and examples that embed plaintext passwords and DB credentials (e.g., psql UPDATE with newpassword, --password CLI flags, .env/POSTGRES_PASSWORD and admin_passwd values), which would require the LLM to include secret values verbatim in outputs.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Dockerfile templates download and install wkhtmltopdf from GitHub (e.g. https://github.com/wkhtmltopdf/packaging/releases/download/0.12.6.1-3/wkhtmltox_0.12.6.1-3.bookworm_amd64.deb) via RUN wget ... && dpkg -i during a docker build (which the skill can invoke via docker-compose build), so a remote binary is fetched and executed as part of the skill runtime.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill contains numerous system-level actions (apt/dpkg installs, writing /etc/systemd/system service files and enabling them, creating files under /opt and /etc, running createuser/createdb, docker-compose down -v, killing processes, and other privileged operations) that require or encourage elevated privileges and modify the host system state, so it should be flagged.