← Back to Skills Marketplace
1182
Downloads
0
Stars
1
Active Installs
6
Versions
Install in OpenClaw
/install hefestoai-auditor
Description
Static code analysis tool. Detects security vulnerabilities, code smells, and complexity issues across 17 languages. All analysis runs locally — no code leav...
README (SKILL.md)
HefestoAI Auditor
Static code analysis for security, quality, and complexity. Supports 17 languages.
Privacy: All analysis runs locally. No code is transmitted to external services. No network calls are made during analysis.
Permissions: This tool reads source files in the specified directory (read-only). It does not modify your code.
Install
pip install hefesto-ai
Quick Start
hefesto analyze /path/to/project --severity HIGH
Severity Levels
hefesto analyze /path/to/project --severity CRITICAL # Critical only
hefesto analyze /path/to/project --severity HIGH # High + Critical
hefesto analyze /path/to/project --severity MEDIUM # Medium + High + Critical
hefesto analyze /path/to/project --severity LOW # Everything
Output Formats
hefesto analyze /path/to/project --output text # Terminal (default)
hefesto analyze /path/to/project --output json # Structured JSON
hefesto analyze /path/to/project --output html --save-html report.html # HTML report
hefesto analyze /path/to/project --quiet # Summary only
Status and Version
hefesto status
hefesto --version
What It Detects
Security Vulnerabilities
- SQL injection and command injection
- Hardcoded secrets (API keys, passwords, tokens)
- Insecure configurations (Dockerfiles, Terraform, YAML)
- Path traversal and XSS risks
Semantic Drift (AI Code Integrity)
- Logic alterations that preserve syntax but change intent
- Architectural degradation from AI-generated code
- Hidden duplicates and inconsistencies in monorepos
Code Quality
- Cyclomatic complexity >10 (HIGH) or >20 (CRITICAL)
- Deep nesting (>4 levels)
- Long functions (>50 lines)
- Code smells and anti-patterns
DevOps Issues
- Dockerfile: missing USER, no HEALTHCHECK, running as root
- Shell: missing
set -euo pipefail, unquoted variables - Terraform: missing tags, hardcoded values
What It Does NOT Detect
- Runtime network attacks (DDoS, port scanning)
- Active intrusions (rootkits, privilege escalation)
- Network traffic monitoring
- For these, use SIEM/IDS/IPS or GCP Security Command Center
Supported Languages (17)
Code: Python, TypeScript, JavaScript, Java, Go, Rust, C#
DevOps/Config: Dockerfile, Jenkins/Groovy, JSON, Makefile, PowerShell, Shell, SQL, Terraform, TOML, YAML
Interpreting Results
file.py:42:10
Issue: Hardcoded database password detected
Function: connect_db
Type: HARDCODED_SECRET
Severity: CRITICAL
Suggestion: Move credentials to environment variables or a secrets manager
Issue Types
| Type | Severity | Action |
|---|---|---|
VERY_HIGH_COMPLEXITY |
CRITICAL | Fix immediately |
HIGH_COMPLEXITY |
HIGH | Fix in current sprint |
DEEP_NESTING |
HIGH | Refactor nesting levels |
SQL_INJECTION_RISK |
HIGH | Parameterize queries |
HARDCODED_SECRET |
CRITICAL | Remove and rotate |
LONG_FUNCTION |
MEDIUM | Split function |
CI/CD Integration
# Fail build on HIGH or CRITICAL issues
hefesto analyze /path/to/project --fail-on HIGH
# Pre-push git hook
hefesto install-hook
# Limit output
hefesto analyze /path/to/project --max-issues 10
# Exclude specific issue types
hefesto analyze /path/to/project --exclude-types VERY_HIGH_COMPLEXITY,LONG_FUNCTION
Licensing
| Tier | Price | Key Features |
|---|---|---|
| FREE | $0/mo | Static analysis, 17 languages, pre-push hooks |
| PRO | $8/mo | ML semantic analysis, REST API, BigQuery integration, custom rules |
| OMEGA | $19/mo | IRIS monitoring, auto-correlation, real-time alerts, team dashboard |
All paid tiers include a 14-day free trial.
See pricing and subscribe at hefestoai.narapallc.com.
To activate a license, see the setup guide at hefestoai.narapallc.com/setup.
About
Created by Narapa LLC (Miami, FL) — Arturo Velasquez (@artvepa)
- GitHub: github.com/artvepa80/Agents-Hefesto
- Support: [email protected]
Usage Guidance
This skill appears to be what it claims at a high level, but treat the 'local-only' privacy claim as unverified because the runtime binary is delivered by a pip package that the registry doesn't vet here. Before installing or running against sensitive code: 1) verify the 'hefesto-ai' package source (PyPI page, package owner, release history) and inspect its code or repository (the SKILL.md links a GitHub repo—confirm it matches the published package); 2) prefer installing and running it in an isolated environment (container, VM) and monitor outbound network activity; 3) inspect the package's setup/entry points for telemetry or network calls and review any licensing/activation flow linked to external endpoints; 4) avoid analyzing highly sensitive code with an unverified package until you can confirm it truly operates offline. If you want, I can list concrete commands to fetch and inspect the pip package before installation or suggest a safe sandbox workflow.
Capability Analysis
Type: OpenClaw Skill
Name: hefestoai-auditor
Version: 2.2.0
The OpenClaw AgentSkills bundle for 'hefestoai-auditor' appears benign. The `SKILL.md` file provides clear instructions for installing and using a static code analysis tool, `hefesto-ai`, via `pip`. It explicitly states that 'All analysis runs locally — no code leaves your machine' and 'No network calls are made during analysis,' which aligns with its stated purpose. There are no indications of prompt injection, data exfiltration, malicious execution, persistence mechanisms, or obfuscation within the provided files. The mention of an external domain (`hefestoai.narapallc.com`) is solely for licensing and setup information, not for data transfer or command execution by the agent.
Capability Assessment
Purpose & Capability
Name, description, and required binary ('hefesto') match the SKILL.md commands (e.g., 'hefesto analyze ...'). Requested capabilities (static analysis across many languages) are consistent with the CLI usage shown.
Instruction Scope
SKILL.md instructs only local read-only analysis of source directories, which is appropriate. However it explicitly asserts 'No network calls are made during analysis' while also advertising paid tiers with a REST API/BigQuery integration and pointing to external endpoints for licensing—these statements are inconsistent and the document gives no assurance or mechanism to validate that the installed package won't perform network activity. Because the skill is instruction-only and the actual binary comes from an external pip package, the claim of 'local-only' cannot be confirmed from the manifest alone.
Install Mechanism
There is no platform install spec in the registry, but the SKILL.md suggests installing a pip package 'hefesto-ai' which will provide the 'hefesto' binary. Installing via pip is common and reasonable for a CLI tool, but pip packages execute arbitrary Python code during installation and at run-time; the registry entry does not provide a vetted release URL, checksum, or PyPI page to verify. This is moderate risk but expected for a CLI delivered via pip.
Credentials
The skill does not declare any environment variables, credentials, or config paths. For a static analysis tool that reads local source files, this is proportionate.
Persistence & Privilege
The skill is not always-enabled and uses normal autonomous invocation defaults. It does not request system-wide config modification or other skills' credentials. No persistence privileges are requested in the manifest.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install hefestoai-auditor - After installation, invoke the skill by name or use
/hefestoai-auditor - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.2.0
**Changelog for v2.2.0**
- Greatly simplified documentation and descriptions for clarity.
- Added an explicit privacy statement: all code analysis is fully local with no external network calls.
- Reduced marketing, internal architecture, and constitutional details; focused on practical usage.
- Installation, quick start, usage examples, and supported languages now easier to understand.
- Pricing and licensing instructions rewritten with direct links for user convenience.
v2.1.0
- Multi-model architecture is now active: Grok, DeepSeek, Claude, and OpenAI are integrated as operational sub-agents, not just planned.
- Documentation updated to reflect current active status of all models and includes new multi-model CLI usage examples.
- Added OpenAI GPT as a complementary analyst in the model roster.
- Expanded multi-model commands section for querying and orchestrating model pipelines directly.
- No changes to core audit features, but documentation now emphasizes external audit layer and multi-model workflows.
v2.0.0
Major v2.0 release: Skill now governed by a Socratic Adaptive Constitution with expanded AI safety and semantic analysis features.
- Introduces a formal Socratic Adaptive Constitution to guide all skill behavior
- Adds semantic drift detection for AI-generated code (detects hidden logic changes)
- Prepares Multi-Model Architecture: ready for DeepSeek, Claude Code, and Grok integration
- Clarifies security scope (static analysis, not runtime/network)
- Optimizes output with structured results and improved communication
- Updates documentation with new pro tips, model roles, and stricter usage rules
v1.2.0
- Added a "Recommended: Wrapper Script" section explaining how to ensure the Hefesto license is always loaded when running audits.
- Provided examples for creating wrapper and pre-built audit scripts to automate reliable analysis.
- No changes to core skill commands or feature set; documentation improved for installation and usage reliability.
v1.1.0
hefestoai-auditor 1.1.0
- Added new usage instructions, including severity filtering, output formats, and environment activation.
- Clarified required use of absolute paths and environment activation for licensing.
- Updated Pro Tips: added examples for limiting output, CI/CD gating, and excluding specific issue types.
- Expanded documentation of available output formats: text, JSON, HTML, and summary output.
- Tuned severity and issue type explanations for improved clarity.
- Documentation now partially in Spanish for key operational notes.
v1.0.0
Initial release of HefestoAI Auditor skill:
- AI-powered code analysis across 17 languages, detecting security vulnerabilities, code smells, complexity, and best practice issues.
- Supports static and ML-based analysis, with CLI commands for audits, status checks, REST API server, and Git pre-push hooks.
- Outputs detailed, severity-ranked findings and summary reports.
- Includes free and paid plans (with 14-day free trials) for advanced analysis and monitoring.
- Simple install via pip; requires `hefesto` binary.
Metadata
Frequently Asked Questions
What is Hefestoai Auditor?
Static code analysis tool. Detects security vulnerabilities, code smells, and complexity issues across 17 languages. All analysis runs locally — no code leav... It is an AI Agent Skill for Claude Code / OpenClaw, with 1182 downloads so far.
How do I install Hefestoai Auditor?
Run "/install hefestoai-auditor" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Hefestoai Auditor free?
Yes, Hefestoai Auditor is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Hefestoai Auditor support?
Hefestoai Auditor is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Hefestoai Auditor?
It is built and maintained by artvepa80 (@artvepa80); the current version is v2.2.0.
More Skills