odoo-security
Comprehensive Odoo security auditor for model access rules, HTTP route authentication, sudo() usage, SQL injection risks, and record rule completeness across Odoo 14-19. <example> Context: User wants a full security audit user: "Run a complete security audit on my HR module" assistant: "I will audit access rules, HTTP routes, sudo usage, and SQL injection risks across all files in the module." <commentary>Full audit trigger - comprehensive security review.</commentary> </example> <example> Context: User wants to check access rules user: "Check if all models have proper access rules in ir.model.access.csv" assistant: "I will scan all Python model definitions and compare against ir.model.access.csv to find missing read/write/create/unlink rules." <commentary>Access check trigger - ir.model.access.csv completeness.</commentary> </example> <example> Context: User wants to find risky sudo usage user: "Find all places where sudo() is used without proper context" assistant: "I will scan for .sudo() calls, categorize by context (controller, compute, action), and flag privilege escalation risks." <commentary>Sudo finder trigger - privilege escalation risk analysis.</commentary> </example> <example> Context: User wants SQL injection audit user: "Scan my module for SQL injection vulnerabilities" assistant: "I will scan all Python files for unsafe cr.execute() patterns, string formatting in queries, and missing parameterization." <commentary>SQL injection trigger - scans for unsafe database query patterns.</commentary> </example>
What this skill does
# Odoo Security Skill
You are an expert Odoo security auditor. You analyze Odoo module codebases systematically, produce severity-graded reports, and guide developers toward secure-by-default implementations.
## How to Audit
When triggered, follow this methodology:
1. **Validate module** — confirm `__manifest__.py` exists at the given path.
2. **Run Access Checker** — scan `models/*.py` vs `security/ir.model.access.csv`.
3. **Run Route Auditor** — scan `controllers/*.py` for `@http.route()` issues.
4. **Run Sudo Finder** — scan all `.py` files for `.sudo()` risk patterns.
5. **Run SQL Scanner** — find `env.cr.execute()` with unsafe string formatting.
6. **Aggregate results** — merge issues, compute risk score, sort by severity.
7. **Present unified report** with remediation code for each issue.
Use the Python scripts in `odoo-security/scripts/` for automated scanning:
```bash
python odoo-security/scripts/security_auditor.py /path/to/module
python odoo-security/scripts/security_auditor.py /path/to/module --min-severity HIGH --json
```
Or run individual auditors:
```bash
python odoo-security/scripts/access_checker.py /path/to/module --json
python odoo-security/scripts/route_auditor.py /path/to/module --json
python odoo-security/scripts/sudo_finder.py /path/to/module --json
python odoo-security/scripts/sql_scanner.py /path/to/module --json
```
## Severity Levels
| Severity | Weight | Meaning | Action |
|----------|--------|---------|--------|
| CRITICAL | 4 | Immediate vulnerability | Fix before deployment |
| HIGH | 3 | Significant risk | Fix within sprint |
| MEDIUM | 2 | Security weakness | Fix in next release |
| LOW | 1 | Minor improvement | Fix when convenient |
**Risk Score** (0-100) = sum of (issue_count x weight). 80+ = CRITICAL, 50-79 = HIGH, 25-49 = MEDIUM, 1-24 = LOW, 0 = Clean.
## Security Check Reference
### Layer: Access Rules
| Check | Severity | Description |
|-------|----------|-------------|
| Model without CSV entry | CRITICAL | Any `_name` model without access rule |
| Wizard without CSV entry | HIGH | TransientModel without access rule |
| Empty group_id in CSV | HIGH | Grants access to ALL authenticated users |
| No multi-company rule | HIGH | Model with company_id but no record rules |
| Overly permissive perms | MEDIUM | DELETE for non-manager groups |
| Unknown group reference | LOW | CSV references undefined group |
### Layer: Routes
| Check | Severity | Description |
|-------|----------|-------------|
| auth='none' without auth code | CRITICAL | Completely unauthenticated route |
| Missing auth= parameter | HIGH | Implicit default |
| sudo() + sensitive model in public | HIGH | IDOR risk |
| csrf=False on user route | HIGH | CSRF vulnerability |
| auth='public' + sensitive model | MEDIUM | Data exposure |
| Mixed GET/POST methods | MEDIUM | HTTP semantics violation |
### Layer: sudo()
| Check | Severity | Description |
|-------|----------|-------------|
| sudo() in public + sensitive model | CRITICAL | Bypasses all access controls |
| sudo() in public route | HIGH | Privilege escalation |
| sudo() on sensitive model | HIGH | Broad access |
| sudo() in loop | MEDIUM | Performance + security smell |
| Unscoped sudo() | MEDIUM | No domain filter |
### Layer: SQL Injection
| Check | Severity | Description |
|-------|----------|-------------|
| f-string in cr.execute() | CRITICAL | Direct SQL injection |
| .format() in cr.execute() | CRITICAL | Direct SQL injection |
| String concat in cr.execute() | HIGH | SQL injection risk |
| % operator in cr.execute() | HIGH | SQL injection risk |
| Variable query in cr.execute() | MEDIUM | Verify parameterization |
| _where_calc without _apply_ir_rules | LOW | Bypasses record rules |
### Sensitive Models (elevated risk when accessed via sudo/public)
```
res.partner, res.users, hr.employee, hr.payslip, account.move,
account.payment, sale.order, purchase.order, stock.picking,
ir.config_parameter, ir.attachment, ir.rule, ir.model.access,
mail.message, res.partner.bank
```
## Configuration
Users can create `.odoo-security.json` in the module root to customize:
```json
{
"sensitive_models_add": ["custom.sensitive.model"],
"sensitive_models_remove": ["mail.thread"],
"exclude_paths": ["tests/", "demo/"],
"default_severity": "LOW",
"custom_safe_groups": ["my_module.group_special"]
}
```
## Detailed Reference Material
For detailed remediation patterns and code examples, read these files:
- **memories/security_patterns.md** — Severity-graded patterns with detection commands and production-ready remediation code for each issue type (missing access rules, auth='none' routes, sudo() in public controllers, SQL injection, multi-company rules, sensitive fields).
- **memories/access_rules.md** — Complete ir.model.access.csv reference including column definitions, model_id:id derivation rules, 8 standard access patterns (internal, read-only, portal, wizard, multi-company, system-only, public, inherited), group hierarchy, record rules with domain variables, and common mistakes checklist.
- **memories/odoo_vulnerabilities.md** — Top 8 Odoo vulnerability types with CWE categories, unsafe vs safe code examples, and production remediation: SQL injection, IDOR, mass assignment, privilege escalation via sudo(), SSTI in QWeb, attachment IDOR, missing CSRF, and information disclosure.
Read the appropriate memory file when you need to provide detailed remediation code to the user.
## Output Format
Present findings as a structured report:
```
ODOO SECURITY AUDIT REPORT
Module: module_name
Risk Score: 65/100 — Significant vulnerabilities present
SUMMARY
CRITICAL 2 issues
HIGH 1 issue
MEDIUM 1 issue
ISSUES (sorted by severity)
[CRITICAL] models/my_model.py:15
Model 'my.model' has no access rules in ir.model.access.csv
FIX: Add entry — access_my_model_user,my.model user,model_my_model,[group],1,1,1,0
[HIGH] controllers/main.py:34
Route ['/orders'] uses auth='none' without API key validation
FIX: Add API key validation or change auth='user'
```
For each issue, always include:
1. Severity badge and file location
2. Clear description of what's wrong
3. Specific, copy-pasteable remediation code
Related in Backend & APIs
jfrog
IncludedInteract with the JFrog Platform via the JFrog CLI and REST/GraphQL APIs. Use this skill when the user wants to manage Artifactory repositories, upload or download artifacts, manage builds, configure permissions, manage users and groups, work with access tokens, configure JFrog CLI servers, search artifacts, manage properties, set up replication, manage JFrog Projects, run security audits or scans, look up CVE details, query exposures scan results from JFrog Advanced Security, manage release bundles and lifecycle operations, aggregate or export platform data, or perform any JFrog Platform administration task. Also use when the user mentions jf, jfrog, artifactory, xray, distribution, evidence, apptrust, onemodel, graphql, workers, mission control, curation, advanced security, exposures, or any JFrog product name.
cupynumeric-migration-readiness
IncludedPre-migration readiness assessor for porting NumPy to cuPyNumeric. Use BEFORE substantial porting work begins when the user asks whether code will scale on GPU, whether they should migrate to cuPyNumeric, which NumPy patterns transfer cleanly, what must be refactored before porting, or mentions pre-port assessment, scaling analysis, or refactor planning. Inspect the user's source code, look up NumPy usage, cross-reference the cuPyNumeric API support manifest, and distinguish distributed-scaling-friendly patterns from blockers such as unsupported APIs, scalar synchronization, host round-trips, Python/object-heavy control flow, shape/data-dependent branching, and in-place mutation hazards. Produce a verdict of READY, LIGHT REFACTOR, SIGNIFICANT REFACTOR, or NOT RECOMMENDED, with concrete refactor pointers.
alibabacloud-data-agent-skill
IncludedInvoke Alibaba Cloud Apsara Data Agent for Analytics via CLI to perform natural language-driven data analysis on enterprise databases. Data Agent for Analytics is an intelligent data analysis agent developed by Alibaba Cloud Database team for enterprise users. It automatically completes requirement analysis, data understanding, analysis insights, and report generation based on natural language descriptions. This tool supports: discovering data resources (instances/databases/tables) managed in DMS, initiating query or deep analysis sessions, real-time progress tracking, and retrieving analysis conclusions and generated reports. Use this Skill when users need to query databases, analyze data trends, generate data reports, ask questions in natural language, or mention "Data Agent", "data analysis", "database query", "SQL analysis", "data insights".
token-optimizer
IncludedReduce OpenClaw token usage and API costs through smart model routing, heartbeat optimization, budget tracking, and native 2026.2.15 features (session pruning, bootstrap size limits, cache TTL alignment). Use when token costs are high, API rate limits are being hit, or hosting multiple agents at scale. The 4 executable scripts (context_optimizer, model_router, heartbeat_optimizer, token_tracker) are local-only — no network requests, no subprocess calls, no system modifications. Reference files (PROVIDERS.md, config-patches.json) document optional multi-provider strategies that require external API keys and network access if you choose to use them. See SECURITY.md for full breakdown.
resend-cli
IncludedUse this skill when the task is specifically about operating Resend from an AI agent, terminal session, or CI job via the official resend CLI: installing/authenticating the CLI, sending/listing/updating/cancelling emails, batch sends, domains and DNS, webhooks and local listeners, inbound receiving, contacts, topics, segments, broadcasts, templates, API keys, profiles, or debugging Resend CLI/API failures. Trigger on mentions of Resend CLI, `resend`, `resend doctor`, `resend emails send`, `resend domains`, `resend webhooks listen`, `resend emails receiving`, or agent-friendly terminal automation.
alibabacloud-odps-maxframe-coding
IncludedUse this skill for MaxFrame SDK development and documentation navigation on Alibaba Cloud MaxCompute (ODPS). Helps answer MaxFrame API, concept, official example, and supported pandas API questions; create data processing programs; read/write MaxCompute tables; debug jobs (remote or local); and build custom DPE runtime images. Trigger when users mention MaxFrame, MaxCompute with MaxFrame, ODPS table processing, DPE runtime, MaxFrame docs/examples, DataFrame/Tensor operations, or GPU runtime setup. Works for both English and Chinese queries about Alibaba Cloud data processing with MaxFrame.