Hefestoai Auditor
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a normal local static-analysis skill, with user-directed installation and an optional Git hook that users should enable only intentionally.
Before installing, verify the `hefesto-ai` package and only run the analyzer on the project directories you intend to scan. Enable the pre-push hook only if you want it to persist in that repository.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run on a broad directory, the tool may inspect more local code or configuration files than the user intended.
The analyzer needs local source-file access to perform static analysis. The access is disclosed and read-only, but the chosen path determines how much private code or embedded secret material it can inspect.
This tool reads source files in the specified directory (read-only).
Run it only on the specific project directory you want audited, and review any generated reports before sharing them.
Installing the package gives third-party code normal package-install and CLI execution privileges on the user's machine.
The skill requires installing an external PyPI package to provide the `hefesto` binary. This is expected for a CLI-wrapper skill, but the package code is not included in the artifact set.
pip install hefesto-ai
Verify the PyPI package, publisher, version, and any available source repository before installing; consider pinning a known-good version.
A Git hook may continue running the analyzer on future pushes until the hook is removed.
The documented hook command can add persistent repository behavior that runs during future Git pushes. It is disclosed as CI/CD integration and appears user-directed.
# Pre-push git hook hefesto install-hook
Use the hook only in repositories where you want this behavior, and inspect or remove the Git hook if it is no longer needed.