Heimdall

The watchman at your agent's gate.

Vet a Model Context Protocol server before your agent trusts it.

Runs 100% in your browser — nothing is sent to any server

Scan a server

Adjust policy criteria

Try: server-filesystem firecrawl-mcp poisoned example

Scans npm packages (fetched via jsDelivr) and pasted tools.json / MCP configs. Local paths, GitHub URLs, and --handshake need the CLI.

Connect it to your agent

Run it as a tool your agent calls, from the CLI, or in CI.

As an MCP server — give your agent a scan_mcp_server tool to vet a server before it connects. Add to your MCP client config:

{
  "mcpServers": {
    "heimdall": {
      "command": "npx",
      "args": ["-y", "--package", "mcp-heimdall-scan", "heimdall-mcp"]
    }
  }
}

From the CLI — scan an npm or PyPI package, a path, a GitHub URL, or your whole agent config:

# static, runs locally, nothing leaves your machine
npx mcp-heimdall-scan firecrawl-mcp
npx mcp-heimdall-scan pypi:mcp-server-fetch
npx mcp-heimdall-scan ./claude_desktop_config.json --online

In CI — gate every pull request with the GitHub Action:

- uses: caglarbozkurt/mcp-heimdall@v1
  with:
    target: ./claude_desktop_config.json
    policy: strict

Or paste this to your coding agent (Claude Code, etc.) and let it set up the skill:

Set up Heimdall (https://github.com/caglarbozkurt/mcp-heimdall) to vet my MCP servers before I trust them.

1. Install it: run `npm i -g mcp-heimdall-scan` (or use `npx mcp-heimdall-scan`).
2. Add it as a skill using the definition at skill/SKILL.md in that repo.
3. Locate my MCP client config (e.g. claude_desktop_config.json) and run
   `heimdall <that config>` to audit every server configured in it.
4. Report anything that WARNs or FAILs with the reason, and tell me whether
   each server is safe to keep before I let my agent use it.

Docs, MCP server, Action & skill →

What it checks

Every finding cites file:line or tool:name — reproducible, not an opinion. Deep analysis covers JavaScript/TypeScript and Python; injection is language-agnostic.

Prompt injection

Override, concealment, fake authority tags, hidden characters — across tools, resources, and prompts.

Capability & credentials

Filesystem, network, shell, eval, and specific credential access — plus hardcoded secrets.

Proven exfil paths

Data-flow proves a secret read flows into a network call — file:line → file:line.

Composition

The whole config

Paste your MCP config: it finds cross-server exfiltration chains no single server shows alone.

Governance

A gate you control

Detectors emit facts; a policy you define turns them into pass / warn / fail.

Rug-pull drift

Fingerprints the surface so a silently-changed tool description can be caught later.

Known CVEs opt-in

Checks declared dependencies against the OSV.dev advisory database — real CVE IDs, severity-ranked.

Field-tested on 2,500 real MCP servers

The same analyzers you just ran, swept across the npm registry — to prove it's robust on messy real-world code, not just fixtures.

2,500servers harvested
1,726scanned in ~5 min
0.7%flagged for review
0crashes

What that says about the code your agent trusts — share of the 1,726 that…

can run shell commands45%
make network calls67%
can exec and reach network34%
can eval code at runtime9%
touch credential files5%

The flagged 0.7% were driven by install-time code execution and prompt-injection — including real servers with hidden zero-width characters embedded in their tool descriptions, the kind of stealth tool-poisoning a keyword scanner sails past. Unlabeled data, so a flag means review this, not proven malicious. Full run →

And checked against what servers actually do

Static analysis says what a server can do — heimdall validate runs it and records what it really does. Across a behavioral run of 200 packages, static analysis flagged 81% of the capabilities servers actually exercised at runtime — up from 76% after the first run's misses became a fix-list. Honest recall, openly reported, improving run over run. Validation run →

Standing watch at the gate

Heimdall kept the Bifröst — the bridge to Asgard — and could see to the ends of the nine realms. He let nothing cross unseen. This keeps the same watch over the bridge between your agent and the code it trusts.