ClawHub

Hefestoai Auditor

v2.2.0

Static code analysis tool. Detects security vulnerabilities, code smells, and complexity issues across 17 languages. All analysis runs locally — no code leav...

0· 1.1k·1 current·1 all-time
by@artvepa80
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and required binary ('hefesto') match the SKILL.md commands (e.g., 'hefesto analyze ...'). Requested capabilities (static analysis across many languages) are consistent with the CLI usage shown.
!
Instruction Scope
SKILL.md instructs only local read-only analysis of source directories, which is appropriate. However it explicitly asserts 'No network calls are made during analysis' while also advertising paid tiers with a REST API/BigQuery integration and pointing to external endpoints for licensing—these statements are inconsistent and the document gives no assurance or mechanism to validate that the installed package won't perform network activity. Because the skill is instruction-only and the actual binary comes from an external pip package, the claim of 'local-only' cannot be confirmed from the manifest alone.
Install Mechanism
There is no platform install spec in the registry, but the SKILL.md suggests installing a pip package 'hefesto-ai' which will provide the 'hefesto' binary. Installing via pip is common and reasonable for a CLI tool, but pip packages execute arbitrary Python code during installation and at run-time; the registry entry does not provide a vetted release URL, checksum, or PyPI page to verify. This is moderate risk but expected for a CLI delivered via pip.
Credentials
The skill does not declare any environment variables, credentials, or config paths. For a static analysis tool that reads local source files, this is proportionate.
Persistence & Privilege
The skill is not always-enabled and uses normal autonomous invocation defaults. It does not request system-wide config modification or other skills' credentials. No persistence privileges are requested in the manifest.
What to consider before installing
This skill appears to be what it claims at a high level, but treat the 'local-only' privacy claim as unverified because the runtime binary is delivered by a pip package that the registry doesn't vet here. Before installing or running against sensitive code: 1) verify the 'hefesto-ai' package source (PyPI page, package owner, release history) and inspect its code or repository (the SKILL.md links a GitHub repo—confirm it matches the published package); 2) prefer installing and running it in an isolated environment (container, VM) and monitor outbound network activity; 3) inspect the package's setup/entry points for telemetry or network calls and review any licensing/activation flow linked to external endpoints; 4) avoid analyzing highly sensitive code with an unverified package until you can confirm it truly operates offline. If you want, I can list concrete commands to fetch and inspect the pip package before installation or suggest a safe sandbox workflow.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fqxwzk4gww443kshkx35k5s81zbsd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔨 Clawdis
Binshefesto

Comments