OpenSkillIndex← back to search
claude-code

Skills hefestoai-auditor

Static code analysis tool. Detects security vulnerabilities, code smells, and complexity issues across 17 languages. All analysis runs locally — no code leaves your machine.

install
source · Clone the upstream repo
git clone https://github.com/openclaw/skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/openclaw/skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/artvepa80/hefestoai-auditor" ~/.claude/skills/clawdbot-skills-hefestoai-auditor && rm -rf "$T"
manifest: skills/artvepa80/hefestoai-auditor/SKILL.md
source content

HefestoAI Auditor

Static code analysis for security, quality, and complexity. Supports 17 languages.

Privacy: All analysis runs locally. No code is transmitted to external services. No network calls are made during analysis.

Permissions: This tool reads source files in the specified directory (read-only). It does not modify your code.

Install

pip install hefesto-ai

Quick Start

hefesto analyze /path/to/project --severity HIGH

Severity Levels

hefesto analyze /path/to/project --severity CRITICAL   # Critical only
hefesto analyze /path/to/project --severity HIGH        # High + Critical
hefesto analyze /path/to/project --severity MEDIUM      # Medium + High + Critical
hefesto analyze /path/to/project --severity LOW         # Everything

Output Formats

hefesto analyze /path/to/project --output text                          # Terminal (default)
hefesto analyze /path/to/project --output json                          # Structured JSON
hefesto analyze /path/to/project --output html --save-html report.html  # HTML report
hefesto analyze /path/to/project --quiet                                # Summary only

Status and Version

hefesto status
hefesto --version

What It Detects

Security Vulnerabilities

  • SQL injection and command injection
  • Hardcoded secrets (API keys, passwords, tokens)
  • Insecure configurations (Dockerfiles, Terraform, YAML)
  • Path traversal and XSS risks

Semantic Drift (AI Code Integrity)

  • Logic alterations that preserve syntax but change intent
  • Architectural degradation from AI-generated code
  • Hidden duplicates and inconsistencies in monorepos

Code Quality

  • Cyclomatic complexity >10 (HIGH) or >20 (CRITICAL)
  • Deep nesting (>4 levels)
  • Long functions (>50 lines)
  • Code smells and anti-patterns

DevOps Issues

  • Dockerfile: missing USER, no HEALTHCHECK, running as root
  • Shell: missing 
    set -euo pipefail
    , unquoted variables
  • Terraform: missing tags, hardcoded values

What It Does NOT Detect

  • Runtime network attacks (DDoS, port scanning)
  • Active intrusions (rootkits, privilege escalation)
  • Network traffic monitoring
  • For these, use SIEM/IDS/IPS or GCP Security Command Center

Supported Languages (17)

Code: Python, TypeScript, JavaScript, Java, Go, Rust, C#

DevOps/Config: Dockerfile, Jenkins/Groovy, JSON, Makefile, PowerShell, Shell, SQL, Terraform, TOML, YAML

Interpreting Results

file.py:42:10
  Issue: Hardcoded database password detected
  Function: connect_db
  Type: HARDCODED_SECRET
  Severity: CRITICAL
  Suggestion: Move credentials to environment variables or a secrets manager

Issue Types

TypeSeverityAction
VERY_HIGH_COMPLEXITY
CRITICALFix immediately
HIGH_COMPLEXITY
HIGHFix in current sprint
DEEP_NESTING
HIGHRefactor nesting levels
SQL_INJECTION_RISK
HIGHParameterize queries
HARDCODED_SECRET
CRITICALRemove and rotate
LONG_FUNCTION
MEDIUMSplit function

CI/CD Integration

# Fail build on HIGH or CRITICAL issues
hefesto analyze /path/to/project --fail-on HIGH

# Pre-push git hook
hefesto install-hook

# Limit output
hefesto analyze /path/to/project --max-issues 10

# Exclude specific issue types
hefesto analyze /path/to/project --exclude-types VERY_HIGH_COMPLEXITY,LONG_FUNCTION

Licensing

TierPriceKey Features
FREE$0/moStatic analysis, 17 languages, pre-push hooks
PRO$8/moML semantic analysis, REST API, BigQuery integration, custom rules
OMEGA$19/moIRIS monitoring, auto-correlation, real-time alerts, team dashboard

All paid tiers include a 14-day free trial.

See pricing and subscribe at hefestoai.narapallc.com.

To activate a license, see the setup guide at hefestoai.narapallc.com/setup.

About

Created by Narapa LLC (Miami, FL) — Arturo Velasquez (@artvepa)