hefestoai-auditor

Static code analysis tool. Detects security vulnerabilities, code smells, and complexity issues across 17 languages. All analysis runs locally — no code leaves your machine.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "hefestoai-auditor" with this command: npx skills add artvepa80/hefestoai-auditor

HefestoAI Auditor

Static code analysis for security, quality, and complexity. Supports 17 languages.

Privacy: All analysis runs locally. No code is transmitted to external services. No network calls are made during analysis.

Permissions: This tool reads source files in the specified directory (read-only). It does not modify your code.

Install

pip install hefesto-ai

Quick Start

hefesto analyze /path/to/project --severity HIGH

Severity Levels

hefesto analyze /path/to/project --severity CRITICAL   # Critical only
hefesto analyze /path/to/project --severity HIGH        # High + Critical
hefesto analyze /path/to/project --severity MEDIUM      # Medium + High + Critical
hefesto analyze /path/to/project --severity LOW         # Everything

Output Formats

hefesto analyze /path/to/project --output text                          # Terminal (default)
hefesto analyze /path/to/project --output json                          # Structured JSON
hefesto analyze /path/to/project --output html --save-html report.html  # HTML report
hefesto analyze /path/to/project --quiet                                # Summary only

Status and Version

hefesto status
hefesto --version

What It Detects

Security Vulnerabilities

  • SQL injection and command injection
  • Hardcoded secrets (API keys, passwords, tokens)
  • Insecure configurations (Dockerfiles, Terraform, YAML)
  • Path traversal and XSS risks

Semantic Drift (AI Code Integrity)

  • Logic alterations that preserve syntax but change intent
  • Architectural degradation from AI-generated code
  • Hidden duplicates and inconsistencies in monorepos

Code Quality

  • Cyclomatic complexity >10 (HIGH) or >20 (CRITICAL)
  • Deep nesting (>4 levels)
  • Long functions (>50 lines)
  • Code smells and anti-patterns

DevOps Issues

  • Dockerfile: missing USER, no HEALTHCHECK, running as root
  • Shell: missing set -euo pipefail, unquoted variables
  • Terraform: missing tags, hardcoded values

What It Does NOT Detect

  • Runtime network attacks (DDoS, port scanning)
  • Active intrusions (rootkits, privilege escalation)
  • Network traffic monitoring
  • For these, use SIEM/IDS/IPS or GCP Security Command Center

Supported Languages (17)

Code: Python, TypeScript, JavaScript, Java, Go, Rust, C#

DevOps/Config: Dockerfile, Jenkins/Groovy, JSON, Makefile, PowerShell, Shell, SQL, Terraform, TOML, YAML

Interpreting Results

file.py:42:10
  Issue: Hardcoded database password detected
  Function: connect_db
  Type: HARDCODED_SECRET
  Severity: CRITICAL
  Suggestion: Move credentials to environment variables or a secrets manager

Issue Types

TypeSeverityAction
VERY_HIGH_COMPLEXITYCRITICALFix immediately
HIGH_COMPLEXITYHIGHFix in current sprint
DEEP_NESTINGHIGHRefactor nesting levels
SQL_INJECTION_RISKHIGHParameterize queries
HARDCODED_SECRETCRITICALRemove and rotate
LONG_FUNCTIONMEDIUMSplit function

CI/CD Integration

# Fail build on HIGH or CRITICAL issues
hefesto analyze /path/to/project --fail-on HIGH

# Pre-push git hook
hefesto install-hook

# Limit output
hefesto analyze /path/to/project --max-issues 10

# Exclude specific issue types
hefesto analyze /path/to/project --exclude-types VERY_HIGH_COMPLEXITY,LONG_FUNCTION

Licensing

TierPriceKey Features
FREE$0/moStatic analysis, 17 languages, pre-push hooks
PRO$8/moML semantic analysis, REST API, BigQuery integration, custom rules
OMEGA$19/moIRIS monitoring, auto-correlation, real-time alerts, team dashboard

All paid tiers include a 14-day free trial.

See pricing and subscribe at hefestoai.narapallc.com.

To activate a license, see the setup guide at hefestoai.narapallc.com/setup.

About

Created by Narapa LLC (Miami, FL) — Arturo Velasquez (@artvepa)

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

Dopesecurity

Dope.security integration. Manage data, records, and automate workflows. Use when the user wants to interact with Dope.security data.

Registry SourceRecently Updated
1510Profile unavailable
Security

Contrast Security

Contrast Security integration. Manage data, records, and automate workflows. Use when the user wants to interact with Contrast Security data.

Registry SourceRecently Updated
1600Profile unavailable
Security

Conjur

Conjur integration. Manage security and secrets-management data, records, and workflows. Use when the user wants to interact with Conjur data.

Registry SourceRecently Updated
1140Profile unavailable
Security

Securitytrails

SecurityTrails integration. Manage data, records, and automate workflows. Use when the user wants to interact with SecurityTrails data.

Registry SourceRecently Updated
1220Profile unavailable