Is henrino3/heimdall safe?

The --analyze flag, actively promoted as 'Recommended' in SKILL.md, causes generate_ai_analysis() to construct a prompt containing up to 30,000 characters of the target skill's source files plus up to 30 scan findings including raw credential match strings. This entire payload is sent via urllib.request.urlopen to https://openrouter.ai/api/v1/chat/completions. Any API keys, tokens, private keys, or secrets embedded in a scanned skill are exfiltrated to OpenRouter and anyone with access to that OpenRouter account.

_meta.json declares the 'latest' version as 1.0.1 (published timestamp 1770464563629), but skill.json claims version 4.0.0, and _meta.json's own history shows 4.0.0 was published at an EARLIER timestamp (1770297018125). A version numbered 4.0.0 cannot be older than 1.0.1 under any rational versioning scheme. This discrepancy suggests either the _meta.json was modified after publication to make a newer version appear older, or the skill files are from a different version than the registry metadata describes.

skill-scan.py reads from ~/clawd/secrets/openrouter.key to obtain an API key for external API calls. This accesses a secrets directory outside the skill's own directory. The key_paths lookup also checks ~/.config/openrouter/key. While this is required for the intended functionality, it normalizes accessing secrets directories and the key is then transmitted in Authorization headers to a third-party endpoint.

The Installation Notes section of SKILL.md instructs the user (and by extension the agent) to append an alias to ~/.bashrc. This is a persistence mechanism — it causes code to be injected into every future interactive shell session. The instruction is clear and disclosed, but it matches the HIGH-severity persistence pattern and modifies a critical system configuration file.

As an installed skill, Heimdall is positioned in a uniquely trusted role — the agent uses it to evaluate other skills. This means every future skill the agent scans with --analyze will have its complete source code sent to OpenRouter. If the OpenRouter account is attacker-controlled or the API key is logged server-side, this creates a stealthy, persistent mechanism to harvest the content of every skill the agent ever reviews, including any secrets those skills contain. The attack is especially effective because a 'security scanner' is exactly the kind of tool users trust implicitly.

Before falling back to OpenRouter, skill-scan.py attempts subprocess.run(['oracle', '-m', 'anthropic/claude-sonnet-4-20250514', '-p', prompt]) where prompt contains content from the scanned skill. The oracle binary is not part of this skill and its behavior is unknown. While list-form argument passing prevents shell injection, the oracle executable may interpret the prompt content in unintended ways. If oracle is not installed the call silently fails and falls through to OpenRouter.

The SECURITY_TOOL_INDICATORS list suppresses findings from files whose paths contain strings like 'prompt-guard', 'security-scan', 'patterns.py', etc. A malicious skill author could name their malicious file 'security-scan.py' or place it in a directory named 'blocklist/' to receive a -2 severity reduction on all detected patterns. Similarly, the BLOCKLIST_INDICATORS heuristics suppress findings near lines matching 'patterns:', 'description:', etc. — patterns that appear legitimately in many config and code files.

Full review of SKILL.md reveals clean, legitimate skill instructions with no attempts to override system prompts, no hidden Unicode tag characters (U+E0001-U+E007F), no HTML comment tricks, no 'ignore previous instructions' patterns, no external URL fetch coercions, and no persona-change directives. The skill transparently describes its purpose and commands.

The install process used git sparse checkout to pull only the heimdall subdirectory from the openclaw/skills monorepo. Network activity was limited to GitHub (140.82.121.4:443). No processes were spawned outside the install script, no files were written outside the skill destination directory, and the connection state before vs. after install shows no new persistent listeners or outbound connections.

Sensitive file accesses logged in inotifywait and auditd PATH events (for .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) occur at timestamps 1771923697.911 (pre-install baseline) and 1771923721.725 (post-install verification), both clearly attributable to the Oathe audit infrastructure performing canary integrity checks. The skill did not trigger any canary file accesses during installation.