Tracked packageView full profile for mcp-server-odoo

MCPSafe.io

Security pre-install checks for MCP servers.

Mostly safe — a couple of notes worth reading.

Compare to another server

github · mcp-server-odoob6f56ae40eca

Item: mcp-server-odoo
Rating: 4
Author: MCPSafe

Scanned 5/3/2026, 9:13:10 PM·Cached result·Fast Scan·45 rules·How we decide ↗

AIVSS Score

2.8/ 10

Low

Severity Breakdown

critical

high

medium

low

MCP Server Information

Packagemcp-server-odoo

Versionb6f56ae40eca

SourceGITHUB

LicenseMPL-2.0

Publisherivnvxd

Package age1y 1m

Stars267

Downloads/wk—

Dependencies0

Repositoryhttps://github.com/ivnvxd/mcp-server-odoo

Findings

Showing 1–30 of 62 findings

medium (22)

low (8)

«‹

62 findings

medium (54)

AIVSS 2.3CVSS 3.5

Service binds to 0.0.0.0 — all network interfaces. For MCP servers that only need to talk to a single parent process, bind to 127.0.0.1 (or a Unix domain socket) instead.

Evidence

docker run --rm -p 8000:8000 \
  -e ODOO_URL=http://host.docker.internal:8069 \
  -e ODOO_API_KEY=your-api-key-here \
  ivnvxd/mcp-server-odoo --transport streamable-http --host 0.0.0.0
```

The image is also available on GHCR: `ghcr.io/ivnvxd/mcp-server-odoo`

Remediation

Bind to 127.0.0.1 for local-only access. If cross-host access is truly required, put the service behind an authenticated reverse proxy rather than exposing it on 0.0.0.0.

254	docker run --rm -p 8000:8000 \
255	-e ODOO_URL=http://host.docker.internal:8069 \
256	-e ODOO_API_KEY=your-api-key-here \
257	ivnvxd/mcp-server-odoo --transport streamable-http --host 0.0.0.0
258	```
259
260	The image is also available on GHCR: `ghcr.io/ivnvxd/mcp-server-odoo`

343	```bash
344	# Run with HTTP transport
345	uvx mcp-server-odoo --transport streamable-http --host 0.0.0.0 --port 8000
346
347	# Or use environment variables
348	export ODOO_MCP_TRANSPORT=streamable-http

442	except AccessControlError as e:
443	logger.error(f"Access control check failed: {e}")
444	return False, str(e)
445
446	def validate_model_access(self, model: str, operation: str) -> None:
447	"""Validate model access, raising exception if denied.

17	"""Configuration for Odoo connection and MCP server settings."""
18
19	# Required fields
20	url: str
21
22	# Authentication (one method required)
23	api_key: Optional[str] = None
24	username: Optional[str] = None

130	success: bool = Field(description="Whether the record was created successfully")
131	record: Dict[str, Any] = Field(description="Essential fields of the created record")
132	url: str = Field(description="Direct URL to the record in Odoo web interface")
133	message: str = Field(description="Human-readable success message")

20	uses: actions/checkout@v6
21
22	- name: Set up Python
23	uses: actions/setup-python@v6
24	with:
25	python-version: '3.10'

407	&& (needs.mcp-integration-test.result == 'success' \|\| needs.mcp-integration-test.result == 'skipped')
408
409	steps:
410	- uses: actions/checkout@v6
411
412	- name: Set up Python
413	uses: actions/setup-python@v6

226	--health-retries=5
227
228	steps:
229	- uses: actions/checkout@v6
230
231	- name: Checkout MCP Odoo module
232	uses: actions/checkout@v6

42	- name: Extract metadata
43	id: meta
44	uses: docker/metadata-action@v6
45	with:
46	images: \|
47	${{ env.GHCR_IMAGE }}

378	if: always()
379
380	steps:
381	- uses: actions/checkout@v6
382
383	- name: Download coverage artifacts
384	uses: actions/download-artifact@v8

25	uses: docker/setup-qemu-action@v4
26
27	- name: Set up Docker Buildx
28	uses: docker/setup-buildx-action@v4
29
30	- name: Log in to GitHub Container Registry
31	uses: docker/login-action@v4

242	python-version: '3.13'
243
244	- name: Install uv
245	uses: astral-sh/setup-uv@v7
246	with:
247	version: "latest"
248	enable-cache: true

361	- name: Upload coverage artifact
362	if: always()
363	uses: actions/upload-artifact@v7
364	with:
365	name: coverage-mcp
366	path: coverage-mcp.xml

196	- name: Upload coverage artifact
197	if: always()
198	uses: actions/upload-artifact@v7
199	with:
200	name: coverage-yolo
201	path: coverage-yolo.xml

17	steps:
18	- name: Checkout code
19	uses: actions/checkout@v6
20
21	- name: Set up Python
22	uses: actions/setup-python@v6

39	twine check --strict dist/*
40
41	- name: Publish to PyPI
42	uses: pypa/gh-action-pypi-publish@release/v1
43	with:
44	verbose: true
45	print-hash: true

388	path: coverage-reports
389
390	- name: Set up Python
391	uses: actions/setup-python@v6
392	with:
393	python-version: '3.10'

237	token: ${{ secrets.ODOO_APPS_PAT }}
238
239	- name: Set up Python
240	uses: actions/setup-python@v6
241	with:
242	python-version: '3.13'

16	runs-on: ubuntu-latest
17
18	steps:
19	- uses: actions/checkout@v6
20
21	- name: Set up Python
22	uses: actions/setup-python@v6

56	- uses: actions/checkout@v6
57
58	- name: Set up Python ${{ matrix.python-version }}
59	uses: actions/setup-python@v6
60	with:
61	python-version: ${{ matrix.python-version }}

82	- name: Upload coverage artifact
83	if: matrix.python-version == '3.10'
84	uses: actions/upload-artifact@v7
85	with:
86	name: coverage-unit
87	path: coverage-unit.xml

53	python-version: ['3.10', '3.13']
54
55	steps:
56	- uses: actions/checkout@v6
57
58	- name: Set up Python ${{ matrix.python-version }}
59	uses: actions/setup-python@v6

427	twine check dist/*
428
429	- name: Upload artifacts
430	uses: actions/upload-artifact@v7
431	with:
432	name: python-package-distributions
433	path: dist/

22	uses: actions/checkout@v6
23
24	- name: Set up QEMU
25	uses: docker/setup-qemu-action@v4
26
27	- name: Set up Docker Buildx
28	uses: docker/setup-buildx-action@v4

github · mcp-server-odoob6f56ae40eca

medium (22)

low (8)

medium (54)

low (8)

LLM summary— mcp-server-odoo:b6f56ae40eca

Signal scores

LLM judge panel

CVE check

Community trust

Scan details

MCP Server Information

Run this exact engine on your private repo — before users see it on /scan.

medium (22)

low (8)

medium (54)

low (8)

Severity breakdown

393	python-version: '3.10'
394
395	- name: Merge and upload coverage
396	uses: codecov/codecov-action@v6
397	with:
398	directory: coverage-reports
399	flags: all

35	password: ${{ secrets.GITHUB_TOKEN }}
36
37	- name: Log in to Docker Hub
38	uses: docker/login-action@v4
39	with:
40	username: ${{ secrets.DOCKERHUB_USERNAME }}
41	password: ${{ secrets.DOCKERHUB_TOKEN }}

54	type=sha,enable=${{ github.event_name == 'workflow_dispatch' }}
55
56	- name: Build and push
57	uses: docker/build-push-action@v7
58	with:
59	context: .
60	platforms: linux/amd64,linux/arm64

105	if " " in value and len(value) == 19:
106	try:
107	dt = datetime.strptime(value, "%Y-%m-%d %H:%M:%S")
108	return dt.strftime("%Y-%m-%dT%H:%M:%S+00:00")
109	except ValueError:
110	pass
111
112	return value

958	if use_smart_defaults:
959	try:
960	all_fields_info = self.connection.fields_get(model)
961	total_fields = len(all_fields_info)
962	except Exception:
963	pass
964
965	metadata = FieldSelectionMetadata(
966	fields_returned=len(record),

194	# Parse Odoo's compact datetime format
195	dt = datetime.strptime(value, "%Y%m%dT%H:%M:%S")
196	# Return proper ISO format with UTC timezone
197	return dt.strftime("%Y-%m-%dT%H:%M:%S+00:00")
198	except ValueError:
199	pass
200	# Handle standard datetime formats
201	elif field_type == "datetime" and " " in value:
202	try:

202	try:
203	# Parse standard Odoo datetime format
204	dt = datetime.strptime(value, "%Y-%m-%d %H:%M:%S")
205	return dt.strftime("%Y-%m-%dT%H:%M:%S+00:00")
206	except ValueError:
207	pass
208	return value # Return as-is if parsing fails
209	elif isinstance(value, (datetime, date)):
210	if isinstance(value, datetime):

97	if len(value) == 17 and "T" in value and "-" not in value:
98	try:
99	dt = datetime.strptime(value, "%Y%m%dT%H:%M:%S")
100	return dt.strftime("%Y-%m-%dT%H:%M:%S+00:00")
101	except ValueError:
102	pass
103
104	# Handle standard Odoo datetime format (YYYY-MM-DD HH:MM:SS)
105	if " " in value and len(value) == 19: