← 返回 Skills 市场
1182
总下载
0
收藏
1
当前安装
6
版本数
在 OpenClaw 中安装
/install hefestoai-auditor
功能描述
Static code analysis tool. Detects security vulnerabilities, code smells, and complexity issues across 17 languages. All analysis runs locally — no code leav...
使用说明 (SKILL.md)
HefestoAI Auditor
Static code analysis for security, quality, and complexity. Supports 17 languages.
Privacy: All analysis runs locally. No code is transmitted to external services. No network calls are made during analysis.
Permissions: This tool reads source files in the specified directory (read-only). It does not modify your code.
Install
pip install hefesto-ai
Quick Start
hefesto analyze /path/to/project --severity HIGH
Severity Levels
hefesto analyze /path/to/project --severity CRITICAL # Critical only
hefesto analyze /path/to/project --severity HIGH # High + Critical
hefesto analyze /path/to/project --severity MEDIUM # Medium + High + Critical
hefesto analyze /path/to/project --severity LOW # Everything
Output Formats
hefesto analyze /path/to/project --output text # Terminal (default)
hefesto analyze /path/to/project --output json # Structured JSON
hefesto analyze /path/to/project --output html --save-html report.html # HTML report
hefesto analyze /path/to/project --quiet # Summary only
Status and Version
hefesto status
hefesto --version
What It Detects
Security Vulnerabilities
- SQL injection and command injection
- Hardcoded secrets (API keys, passwords, tokens)
- Insecure configurations (Dockerfiles, Terraform, YAML)
- Path traversal and XSS risks
Semantic Drift (AI Code Integrity)
- Logic alterations that preserve syntax but change intent
- Architectural degradation from AI-generated code
- Hidden duplicates and inconsistencies in monorepos
Code Quality
- Cyclomatic complexity >10 (HIGH) or >20 (CRITICAL)
- Deep nesting (>4 levels)
- Long functions (>50 lines)
- Code smells and anti-patterns
DevOps Issues
- Dockerfile: missing USER, no HEALTHCHECK, running as root
- Shell: missing
set -euo pipefail, unquoted variables - Terraform: missing tags, hardcoded values
What It Does NOT Detect
- Runtime network attacks (DDoS, port scanning)
- Active intrusions (rootkits, privilege escalation)
- Network traffic monitoring
- For these, use SIEM/IDS/IPS or GCP Security Command Center
Supported Languages (17)
Code: Python, TypeScript, JavaScript, Java, Go, Rust, C#
DevOps/Config: Dockerfile, Jenkins/Groovy, JSON, Makefile, PowerShell, Shell, SQL, Terraform, TOML, YAML
Interpreting Results
file.py:42:10
Issue: Hardcoded database password detected
Function: connect_db
Type: HARDCODED_SECRET
Severity: CRITICAL
Suggestion: Move credentials to environment variables or a secrets manager
Issue Types
| Type | Severity | Action |
|---|---|---|
VERY_HIGH_COMPLEXITY |
CRITICAL | Fix immediately |
HIGH_COMPLEXITY |
HIGH | Fix in current sprint |
DEEP_NESTING |
HIGH | Refactor nesting levels |
SQL_INJECTION_RISK |
HIGH | Parameterize queries |
HARDCODED_SECRET |
CRITICAL | Remove and rotate |
LONG_FUNCTION |
MEDIUM | Split function |
CI/CD Integration
# Fail build on HIGH or CRITICAL issues
hefesto analyze /path/to/project --fail-on HIGH
# Pre-push git hook
hefesto install-hook
# Limit output
hefesto analyze /path/to/project --max-issues 10
# Exclude specific issue types
hefesto analyze /path/to/project --exclude-types VERY_HIGH_COMPLEXITY,LONG_FUNCTION
Licensing
| Tier | Price | Key Features |
|---|---|---|
| FREE | $0/mo | Static analysis, 17 languages, pre-push hooks |
| PRO | $8/mo | ML semantic analysis, REST API, BigQuery integration, custom rules |
| OMEGA | $19/mo | IRIS monitoring, auto-correlation, real-time alerts, team dashboard |
All paid tiers include a 14-day free trial.
See pricing and subscribe at hefestoai.narapallc.com.
To activate a license, see the setup guide at hefestoai.narapallc.com/setup.
About
Created by Narapa LLC (Miami, FL) — Arturo Velasquez (@artvepa)
- GitHub: github.com/artvepa80/Agents-Hefesto
- Support: [email protected]
安全使用建议
This skill appears to be what it claims at a high level, but treat the 'local-only' privacy claim as unverified because the runtime binary is delivered by a pip package that the registry doesn't vet here. Before installing or running against sensitive code: 1) verify the 'hefesto-ai' package source (PyPI page, package owner, release history) and inspect its code or repository (the SKILL.md links a GitHub repo—confirm it matches the published package); 2) prefer installing and running it in an isolated environment (container, VM) and monitor outbound network activity; 3) inspect the package's setup/entry points for telemetry or network calls and review any licensing/activation flow linked to external endpoints; 4) avoid analyzing highly sensitive code with an unverified package until you can confirm it truly operates offline. If you want, I can list concrete commands to fetch and inspect the pip package before installation or suggest a safe sandbox workflow.
功能分析
Type: OpenClaw Skill
Name: hefestoai-auditor
Version: 2.2.0
The OpenClaw AgentSkills bundle for 'hefestoai-auditor' appears benign. The `SKILL.md` file provides clear instructions for installing and using a static code analysis tool, `hefesto-ai`, via `pip`. It explicitly states that 'All analysis runs locally — no code leaves your machine' and 'No network calls are made during analysis,' which aligns with its stated purpose. There are no indications of prompt injection, data exfiltration, malicious execution, persistence mechanisms, or obfuscation within the provided files. The mention of an external domain (`hefestoai.narapallc.com`) is solely for licensing and setup information, not for data transfer or command execution by the agent.
能力评估
Purpose & Capability
Name, description, and required binary ('hefesto') match the SKILL.md commands (e.g., 'hefesto analyze ...'). Requested capabilities (static analysis across many languages) are consistent with the CLI usage shown.
Instruction Scope
SKILL.md instructs only local read-only analysis of source directories, which is appropriate. However it explicitly asserts 'No network calls are made during analysis' while also advertising paid tiers with a REST API/BigQuery integration and pointing to external endpoints for licensing—these statements are inconsistent and the document gives no assurance or mechanism to validate that the installed package won't perform network activity. Because the skill is instruction-only and the actual binary comes from an external pip package, the claim of 'local-only' cannot be confirmed from the manifest alone.
Install Mechanism
There is no platform install spec in the registry, but the SKILL.md suggests installing a pip package 'hefesto-ai' which will provide the 'hefesto' binary. Installing via pip is common and reasonable for a CLI tool, but pip packages execute arbitrary Python code during installation and at run-time; the registry entry does not provide a vetted release URL, checksum, or PyPI page to verify. This is moderate risk but expected for a CLI delivered via pip.
Credentials
The skill does not declare any environment variables, credentials, or config paths. For a static analysis tool that reads local source files, this is proportionate.
Persistence & Privilege
The skill is not always-enabled and uses normal autonomous invocation defaults. It does not request system-wide config modification or other skills' credentials. No persistence privileges are requested in the manifest.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install hefestoai-auditor - 安装完成后,直接呼叫该 Skill 的名称或使用
/hefestoai-auditor触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.2.0
**Changelog for v2.2.0**
- Greatly simplified documentation and descriptions for clarity.
- Added an explicit privacy statement: all code analysis is fully local with no external network calls.
- Reduced marketing, internal architecture, and constitutional details; focused on practical usage.
- Installation, quick start, usage examples, and supported languages now easier to understand.
- Pricing and licensing instructions rewritten with direct links for user convenience.
v2.1.0
- Multi-model architecture is now active: Grok, DeepSeek, Claude, and OpenAI are integrated as operational sub-agents, not just planned.
- Documentation updated to reflect current active status of all models and includes new multi-model CLI usage examples.
- Added OpenAI GPT as a complementary analyst in the model roster.
- Expanded multi-model commands section for querying and orchestrating model pipelines directly.
- No changes to core audit features, but documentation now emphasizes external audit layer and multi-model workflows.
v2.0.0
Major v2.0 release: Skill now governed by a Socratic Adaptive Constitution with expanded AI safety and semantic analysis features.
- Introduces a formal Socratic Adaptive Constitution to guide all skill behavior
- Adds semantic drift detection for AI-generated code (detects hidden logic changes)
- Prepares Multi-Model Architecture: ready for DeepSeek, Claude Code, and Grok integration
- Clarifies security scope (static analysis, not runtime/network)
- Optimizes output with structured results and improved communication
- Updates documentation with new pro tips, model roles, and stricter usage rules
v1.2.0
- Added a "Recommended: Wrapper Script" section explaining how to ensure the Hefesto license is always loaded when running audits.
- Provided examples for creating wrapper and pre-built audit scripts to automate reliable analysis.
- No changes to core skill commands or feature set; documentation improved for installation and usage reliability.
v1.1.0
hefestoai-auditor 1.1.0
- Added new usage instructions, including severity filtering, output formats, and environment activation.
- Clarified required use of absolute paths and environment activation for licensing.
- Updated Pro Tips: added examples for limiting output, CI/CD gating, and excluding specific issue types.
- Expanded documentation of available output formats: text, JSON, HTML, and summary output.
- Tuned severity and issue type explanations for improved clarity.
- Documentation now partially in Spanish for key operational notes.
v1.0.0
Initial release of HefestoAI Auditor skill:
- AI-powered code analysis across 17 languages, detecting security vulnerabilities, code smells, complexity, and best practice issues.
- Supports static and ML-based analysis, with CLI commands for audits, status checks, REST API server, and Git pre-push hooks.
- Outputs detailed, severity-ranked findings and summary reports.
- Includes free and paid plans (with 14-day free trials) for advanced analysis and monitoring.
- Simple install via pip; requires `hefesto` binary.
元数据
常见问题
Hefestoai Auditor 是什么?
Static code analysis tool. Detects security vulnerabilities, code smells, and complexity issues across 17 languages. All analysis runs locally — no code leav... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1182 次。
如何安装 Hefestoai Auditor?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install hefestoai-auditor」即可一键安装,无需额外配置。
Hefestoai Auditor 是免费的吗?
是的,Hefestoai Auditor 完全免费(开源免费),可自由下载、安装和使用。
Hefestoai Auditor 支持哪些平台?
Hefestoai Auditor 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Hefestoai Auditor?
由 artvepa80(@artvepa80)开发并维护,当前版本 v2.2.0。
推荐 Skills