AgentReadyHomeAgent Listing

← Odoo MCP Server

Odoo MCP Server — agentic threat model

9.2AIVSS 9.2 · Critical

The Odoo MCP Server presents a high-risk profile due to its direct integration with critical ERP systems (accounting, inventory, sales). Without robust, external access controls and human-in-the-loop verification, compromised or misaligned agents could execute unauthorized business transactions or exfiltrate highly sensitive corporate data.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.73Factor sum 4.4/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.70
Goal-Driven Planning
0.50
Self-Modification
0.00
Dynamic Tool Use
0.80
Persistent Memory
0.20
Contextual Awareness
0.50
Dynamic Identity
0.60
Multi-Agent Interactions
0.40
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The MCP server itself is model-agnostic, but the upstream LLM driving it is vulnerable to prompt injection, which could be leveraged to bypass intent alignment and trigger unauthorized ERP actions.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The server queries Odoo ERP databases directly. Threats include unauthorized data exfiltration of sensitive sales, customer, and accounting data, as well as potential ORM/injection vulnerabilities if inputs are not sanitized.

L3 · Agent Frameworks✓ mapped

Connects agents to Odoo via the Model Context Protocol (MCP). The primary threat is tool misuse, where an LLM misinterprets instructions or is manipulated into executing destructive ERP actions like deleting inventory records or modifying sales orders.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — Typically deployed locally or in a container alongside the agent. Threats include insecure storage of Odoo API credentials/passwords and lack of network isolation between the MCP host and the ERP instance.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No built-in evaluation, guardrails, or transaction monitoring are mentioned. Gaps in logging could allow malicious or erroneous ERP transactions to execute without an audit trail.

L6 · Security & Compliance (cross-cutting)✓ mapped

The agent's security boundary relies entirely on the Odoo user/role it authenticates as. Over-privileged service accounts represent a severe compliance and security risk, as the agent inherits all read/write permissions of that user.

L7 · Agent Ecosystem✓ mapped

Designed to expose ERP capabilities to an agent ecosystem. A compromised or rogue upstream agent could abuse the trust relationship with this MCP server to execute cascading, unauthorized business-process actions across multiple Odoo modules.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).