askill
audit-skill

audit-skillSafety 100Repository

Comprehensive audit capabilities for security, code quality, module structure, compliance, and performance analysis. Use this skill when performing security audits, code reviews, vulnerability assessments, module structure validation, or generating audit reports.

audit-skilljgtolentino
16 stars
1.2k downloads
Updated 2/6/2026

Package Files

Loading files...
SKILL.md

Audit Skill for Odoo InsightPulse

A comprehensive skill for performing multi-dimensional audits on Odoo codebases, including security vulnerabilities, code quality, module structure compliance, and performance analysis.

When to Use This Skill

Use this skill when you need to:

  • Security Audits: Identify vulnerabilities, hardcoded credentials, weak authentication, exposed secrets
  • Code Quality Reviews: Check coding standards, detect code smells, validate OCA compliance
  • Module Structure Audits: Verify module manifests, dependencies, and Odoo best practices
  • Compliance Checks: Validate LGPL-3.0 licensing, GDPR requirements, data privacy
  • Performance Analysis: Identify N+1 queries, missing indexes, inefficient algorithms
  • Dependency Audits: Check for outdated packages, security vulnerabilities in dependencies
  • Configuration Audits: Validate production readiness, environment configurations
  • Database Audits: Check filesystem vs database module state, orphaned records

Core Capabilities

1. Security Audits

Critical Vulnerability Detection:

  • Hardcoded credentials (passwords, API keys, tokens)
  • Exposed database credentials
  • Weak encryption implementations
  • Missing authentication/authorization
  • SQL injection vulnerabilities
  • XSS (Cross-Site Scripting) risks
  • CSRF token validation
  • Insecure file uploads
  • Path traversal vulnerabilities

Secret Detection Patterns:

# Hardcoded passwords
admin_passwd = "password123"
db_password = "secret"

# API keys in code
OPENAI_API_KEY = "sk-..."
GITHUB_TOKEN = "ghp_..."

# Base64 encoded secrets
SECRET = "YWRtaW46cGFzc3dvcmQ="

Security Best Practices:

  • Environment variable usage
  • Secret rotation policies
  • Encryption at rest and in transit
  • Principle of least privilege
  • Row-level security (RLS) policies
  • Audit trail logging

2. Code Quality Audits

OCA Compliance Checks:

  • Module structure validation
  • Manifest (__manifest__.py) completeness
  • Security rules (ir.model.access.csv)
  • Model naming conventions
  • View structure and inheritance
  • Python code style (PEP 8)
  • Docstring completeness

Code Smell Detection:

  • Duplicate code blocks
  • Long methods (>50 lines)
  • Deep nesting (>4 levels)
  • God classes (>500 lines)
  • Unused imports and variables
  • Magic numbers
  • Missing error handling
  • Poor naming conventions

Anti-Patterns:

# Anti-pattern: Direct SQL queries
self.env.cr.execute("SELECT * FROM users")

# Better: Use ORM
self.env['res.users'].search([])

# Anti-pattern: No error handling
result = external_api_call()

# Better: Proper exception handling
try:
    result = external_api_call()
except Exception as e:
    _logger.error(f"API call failed: {e}")
    raise UserError(_("External service unavailable"))

3. Module Structure Audits

Required Files Check:

  • __manifest__.py (required)
  • __init__.py (required)
  • README.md (recommended)
  • security/ir.model.access.csv (if has models)
  • views/ directory (if has UI)
  • models/ directory (if has models)
  • data/ directory (if has data files)
  • tests/ directory (recommended)

Manifest Validation:

# Required keys
{
    'name': 'Module Name',
    'version': '19.0.1.0.0',
    'category': 'Category',
    'summary': 'Short description',
    'description': 'Long description',
    'author': 'Author Name',
    'website': 'https://...',
    'license': 'LGPL-3',
    'depends': ['base', 'mail'],
    'data': [
        'security/ir.model.access.csv',
        'views/menu.xml',
    ],
    'installable': True,
    'application': False,
    'auto_install': False,
}

Dependency Validation:

  • Circular dependency detection
  • Missing dependency declarations
  • Unused dependencies
  • Version compatibility

4. Database Audits

Module State Verification:

  • Filesystem modules vs database records
  • Installed vs uninstalled modules
  • Modules requiring upgrade
  • Orphaned database records
  • Missing security rules

Performance Analysis:

  • Missing database indexes
  • Inefficient queries
  • N+1 query patterns
  • Large table scans
  • Slow view computations

5. Configuration Audits

Production Readiness:

  • Environment variables properly set
  • Debug mode disabled
  • Secure admin password
  • Database connection pooling
  • Resource limits configured
  • Backup strategy in place
  • Monitoring enabled
  • Log rotation configured

Docker Configuration:

  • Multi-stage builds
  • Non-root user
  • Health checks
  • Resource limits
  • Volume mounts
  • Network isolation

6. Compliance Audits

LGPL-3.0 License:

  • License file present
  • License headers in files
  • Third-party notices
  • No proprietary dependencies

GDPR Compliance:

  • Personal data identification
  • Data retention policies
  • Right to erasure implementation
  • Consent management
  • Data portability
  • Privacy policy

Audit Execution Workflow

Step 1: Initialize Audit

# Set audit context
AUDIT_TYPE="security"  # or: code-quality, module-structure, performance
AUDIT_SCOPE="full"     # or: module-name, directory-path
AUDIT_OUTPUT="json"    # or: markdown, csv

Step 2: Run Automated Checks

# Security audit
./scripts/audit-security.sh --scope "$AUDIT_SCOPE" --output "$AUDIT_OUTPUT"

# Module structure audit
./scripts/audit-modules.sh odoo_db --output table

# Code quality audit
flake8 addons/ --config .flake8
pylint addons/ --rcfile .pylintrc-mandatory

Step 3: Manual Review

  • Review flagged files
  • Validate findings
  • Assess severity (Critical, High, Medium, Low)
  • Calculate CVSS scores
  • Document remediation steps

Step 4: Generate Report

Report Structure:

  1. Executive Summary
  2. Overall Risk Score
  3. Critical Vulnerabilities
  4. High Priority Issues
  5. Medium Priority Issues
  6. Low Priority Issues
  7. Recommendations
  8. Remediation Timeline

Step 5: Track Remediation

  • Create issues for each finding
  • Assign severity and priority
  • Set remediation deadlines
  • Track progress
  • Re-audit after fixes

Audit Report Template

# Security Audit Report
**Project**: InsightPulse Odoo
**Date**: YYYY-MM-DD
**Auditor**: Agent Name
**Scope**: Full codebase / Specific module

## Executive Summary

Overall Risk Score: X.X/10 (Critical/High/Medium/Low)

- Critical: X vulnerabilities
- High: X vulnerabilities  
- Medium: X vulnerabilities
- Low: X vulnerabilities

## Critical Vulnerabilities

### 1. Hardcoded Credentials
**Location**: `/path/to/file.py:line`
**Risk**: CVSS 9.8 (Critical)
**Description**: Admin password exposed in configuration
**Remediation**:
- Use environment variables
- Rotate credentials immediately
- Implement secret management

## Recommendations

1. Immediate actions (Critical/High)
2. Short-term improvements (Medium)
3. Long-term enhancements (Low)

## Compliance Status

- [x] LGPL-3.0 License
- [ ] GDPR Compliance
- [x] Security Best Practices
- [ ] Code Quality Standards

Integration with Existing Tools

Security Scanners

# Bandit - Python security linter
bandit -r addons/ -f json -o security-audit.json

# Safety - Dependency vulnerability scanner
safety check --json

# Semgrep - Static analysis
semgrep --config=auto addons/

Code Quality Tools

# Flake8 - Style guide enforcement
flake8 addons/ --max-line-length=88 --extend-ignore=E203

# Pylint - Code quality checker
pylint addons/ --output-format=json

# Black - Code formatter (check only)
black addons/ --check

Odoo-Specific Tools

# OCA maintainer tools
oca-autopep8 -ri addons/
oca-isort -rc addons/

# Odoo module analyzer
./scripts/audit-modules.sh odoo_db --output json

Best Practices

Security

  1. Never commit secrets: Use .env files with .gitignore
  2. Rotate credentials: After any exposure or quarterly
  3. Least privilege: Grant minimum necessary permissions
  4. Encrypt sensitive data: At rest and in transit
  5. Audit trails: Log all security-relevant actions
  6. Regular scans: Automated security checks in CI/CD

Code Quality

  1. Follow OCA guidelines: Module structure and naming
  2. Write tests: Minimum 80% coverage for new code
  3. Document code: Clear docstrings for all public methods
  4. Handle errors: Proper exception handling with logging
  5. Avoid anti-patterns: No direct SQL, use ORM
  6. Keep it DRY: Don't repeat yourself

Performance

  1. Add indexes: On frequently queried fields
  2. Optimize queries: Avoid N+1 patterns
  3. Use computed fields: With proper store=True
  4. Cache when possible: For expensive operations
  5. Profile bottlenecks: Use Odoo profiler
  6. Monitor resources: CPU, memory, database connections

Common Issues and Solutions

Issue: Hardcoded Credentials

Detection:

grep -r "password\s*=\s*['\"]" addons/ --include="*.py"

Solution:

# Bad
db_password = "mysecret"

# Good
import os
db_password = os.environ.get('DB_PASSWORD')

Issue: Missing Security Rules

Detection:

# Check for models without access rules
models_with_no_access = []
for model in self.env['ir.model'].search([]):
    access_count = self.env['ir.model.access'].search_count([
        ('model_id', '=', model.id)
    ])
    if access_count == 0:
        models_with_no_access.append(model.model)

Solution: Create security/ir.model.access.csv:

id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
access_my_model_user,my.model.user,model_my_model,base.group_user,1,0,0,0
access_my_model_manager,my.model.manager,model_my_model,base.group_system,1,1,1,1

Issue: N+1 Query Pattern

Detection:

# Bad - N+1 queries
for order in orders:
    print(order.partner_id.name)  # Separate query for each order

Solution:

# Good - Single query with prefetch
orders = self.env['sale.order'].search([]).with_prefetch(['partner_id'])
for order in orders:
    print(order.partner_id.name)

Issue: Missing Database Indexes

Detection:

# Analyze slow queries in PostgreSQL logs
grep "duration:" /var/log/postgresql/postgresql.log | sort -t: -k2 -n | tail -20

Solution:

class MyModel(models.Model):
    _name = 'my.model'
    
    reference = fields.Char(string='Reference', index=True)  # Add index
    date = fields.Date(string='Date', index=True)

Severity Classification

Critical (9.0-10.0 CVSS)

  • Remote code execution
  • Authentication bypass
  • Exposed credentials
  • Data breach potential

High (7.0-8.9 CVSS)

  • SQL injection
  • XSS vulnerabilities
  • Privilege escalation
  • Missing authentication

Medium (4.0-6.9 CVSS)

  • Information disclosure
  • CSRF vulnerabilities
  • Insecure configurations
  • Missing input validation

Low (0.1-3.9 CVSS)

  • Code quality issues
  • Missing documentation
  • Performance concerns
  • Minor security hardening

Quick Reference

Run Security Audit

cd /home/runner/work/insightpulse-odoo/insightpulse-odoo
grep -r "password\s*=\s*['\"]" . --include="*.py" --include="*.conf"
bandit -r addons/ -ll
safety check

Run Module Audit

./scripts/audit-modules.sh odoo_db --output table

Run Code Quality Audit

flake8 addons/ --config .flake8
pylint addons/ --rcfile .pylintrc-mandatory

Generate Full Report

./scripts/comprehensive-audit.sh --output-dir ./audit-reports

Related Documentation

Skill Maintenance

This skill should be updated when:

  • New vulnerability patterns are discovered
  • OCA guidelines change
  • Odoo version upgrades (new APIs, deprecated features)
  • New audit tools become available
  • Compliance requirements evolve

Version: 1.0.0 Last Updated: 2025-11-01 Maintainer: InsightPulse Team

Install

Download ZIP
Requires askill CLI v1.0+

AI Quality Score

85/100Analyzed 4/24/2026

Comprehensive audit skill for Odoo with excellent technical depth, clear structure, and actionable guidance. Includes detailed security, code quality, module structure, database, configuration, and compliance audit capabilities with real examples and commands. Slightly reduced reusability due to project-specific references (InsightPulse, custom scripts), but structured well enough to adapt. Clear "when to use" section and tags improve discoverability. Located in dedicated skills folder.

100
95
65
95
90

Metadata

Licenseunknown
Version-
Updated2/6/2026
Publisherjgtolentino

Tags

apici-cddatabasegithubgithub-actionslintingobservabilitysecurity