Heimdall Security Scanner

The skill's stated scanning purpose is plausible, but there are inconsistencies and small-but-important risks (undeclared API key usage, prompt-injection pattern present, and guidance to persist secrets/config) that warrant manual review before installing.

Heimdall appears to be a genuine skill-scanner, but before installing: 1) inspect scripts/skill-scan.py yourself (look for network destinations, remote fetches, subprocess exec/pipe-to-shell patterns, and any code that exfiltrates files). 2) Note that SKILL.md requires OPENROUTER_API_KEY for AI analysis but the registry metadata didn't declare it — treat the key as optional and avoid storing it in plaintext; prefer using an environment variable set per-session. 3) Don't blindly run the suggested alias command; instead run the scanner manually from a sandbox/VM first. 4) If you plan to use --analyze, review what data is sent to OpenRouter and redact any sensitive files before scanning. 5) If you lack the ability to audit the Python script, run the tool in an isolated environment (container/VM) or decline installation.