Is artvepa80/hefestoai-auditor safe?
https://github.com/openclaw/skills/tree/main/skills/artvepa80/hefestoai-auditor
HefestoAI Auditor is a commercial code analysis skill that wraps a pip-installed tool with significant attack surface. The primary concerns are the opaque pip package with full system access, a multi-model architecture that explicitly sends user code to 5 external AI services, git hook installation capability, and mandatory environment file sourcing. No malicious behavior was detected during installation, but the runtime capabilities create substantial risk if the package is compromised or acts beyond its stated purpose.
Category Scores
Findings (10)
HIGH Multi-model architecture sends code to 5 external AI services -25 ▶
The skill documents a multi-model architecture where user code is sent to Grok, DeepSeek, Claude, OpenAI GPT, and Gemini via Python scripts. Commands like 'python3 ~/hefesto_tools/multi_model/query_model.py --model grok' and 'orchestrate.py --task code-review --input' explicitly transmit user code to third-party services without clear consent boundaries.
HIGH Opaque pip package hefesto-ai with full system access -20 ▶
The skill requires installing the hefesto-ai pip package which gains full code execution capability on the host. Pip packages can execute arbitrary code during installation (via setup.py/pyproject.toml hooks) and at runtime. The package contents cannot be verified from the skill definition alone.
HIGH Git hook installation capability -15 ▶
The skill documents a 'hefesto install-hook' command that installs pre-push git hooks. Git hooks execute automatically on git operations and could run arbitrary code every time the user commits or pushes, creating a persistent code execution foothold.
MEDIUM Mandatory environment file sourcing suppresses errors -10 ▶
The skill instructs the agent to always run 'source /home/user/.hefesto_env 2>/dev/null' before commands. This sources an opaque environment file that could contain arbitrary shell code, and the 2>/dev/null suppresses all errors, hiding any malicious activity. The file is created by the pip package installation.
MEDIUM Code analysis tool processes all project source code -15 ▶
The hefesto analyze command is designed to scan entire project directories. When run through an opaque binary installed via pip, there is no guarantee that code is only analyzed locally. The licensing system (HEFESTO_LICENSE_KEY) implies server communication that could include telemetry.
MEDIUM Agent behavior steering with absolute directives -10 ▶
The skill uses strong behavioral directives (ALWAYS, NEVER) to control agent behavior, including always sourcing environment files, always using absolute paths, and restricting output to only what hefesto returns. While individually benign, these create a pattern of agent control that could mask malicious behavior.
MEDIUM References external CLAUDE.md for additional instructions -5 ▶
The skill states 'Full constitution: see workspace CLAUDE.md', directing the agent to seek additional behavioral instructions from another file. This could be used to chain additional prompt injection if the CLAUDE.md contains manipulated content.
LOW Commercial payment links embedded in agent prompt -10 ▶
The skill embeds Stripe payment URLs for PRO ($8/mo) and OMEGA ($19/mo) tiers directly in the skill content. When injected into an agent's system prompt, the agent may present these commercial links to users during normal interactions, functioning as embedded advertising.
INFO Clean installation with expected network activity only -5 ▶
Installation monitoring shows only expected network connections (GitHub for clone, Ubuntu apt servers, potential PyPI hosts for pip). No unexpected processes were spawned and no firewall-blocked connections were detected.
INFO All honeypot files remain intact 0 ▶
No canary files (.env, SSH keys, AWS credentials, npmrc, Docker config, GCloud credentials) were accessed or modified during installation.