The watchman at your agent's gate.
Vet a Model Context Protocol server before your agent trusts it.
Runs 100% in your browser — nothing is sent to any serverScan a server
Try: server-filesystem firecrawl-mcp poisoned example
Scans npm packages (fetched via jsDelivr) and pasted tools.json / MCP configs.
Local paths, GitHub URLs, and --handshake need the CLI.
Run it as a tool your agent calls, from the CLI, or in CI.
As an MCP server — give your agent a scan_mcp_server tool to vet a server before it connects. Add to your MCP client config:
{
"mcpServers": {
"heimdall": {
"command": "npx",
"args": ["-y", "--package", "mcp-heimdall-scan", "heimdall-mcp"]
}
}
}
From the CLI — scan an npm or PyPI package, a path, a GitHub URL, or your whole agent config:
# static, runs locally, nothing leaves your machine
npx mcp-heimdall-scan firecrawl-mcp
npx mcp-heimdall-scan pypi:mcp-server-fetch
npx mcp-heimdall-scan ./claude_desktop_config.json --online
In CI — gate every pull request with the GitHub Action:
- uses: caglarbozkurt/mcp-heimdall@v1
with:
target: ./claude_desktop_config.json
policy: strict
Or paste this to your coding agent (Claude Code, etc.) and let it set up the skill:
Set up Heimdall (https://github.com/caglarbozkurt/mcp-heimdall) to vet my MCP servers before I trust them. 1. Install it: run `npm i -g mcp-heimdall-scan` (or use `npx mcp-heimdall-scan`). 2. Add it as a skill using the definition at skill/SKILL.md in that repo. 3. Locate my MCP client config (e.g. claude_desktop_config.json) and run `heimdall <that config>` to audit every server configured in it. 4. Report anything that WARNs or FAILs with the reason, and tell me whether each server is safe to keep before I let my agent use it.
Every finding cites file:line or tool:name — reproducible, not an opinion. Deep analysis covers JavaScript/TypeScript and Python; injection is language-agnostic.
Override, concealment, fake authority tags, hidden characters — across tools, resources, and prompts.
Filesystem, network, shell, eval, and specific credential access — plus hardcoded secrets.
Data-flow proves a secret read flows into a network call — file:line → file:line.
Paste your MCP config: it finds cross-server exfiltration chains no single server shows alone.
Detectors emit facts; a policy you define turns them into pass / warn / fail.
Fingerprints the surface so a silently-changed tool description can be caught later.
Checks declared dependencies against the OSV.dev advisory database — real CVE IDs, severity-ranked.
The same analyzers you just ran, swept across the npm registry — to prove it's robust on messy real-world code, not just fixtures.
What that says about the code your agent trusts — share of the 1,726 that…
The flagged 0.7% were driven by install-time code execution and prompt-injection — including real servers with hidden zero-width characters embedded in their tool descriptions, the kind of stealth tool-poisoning a keyword scanner sails past. Unlabeled data, so a flag means review this, not proven malicious. Full run →
Static analysis says what a server can do — heimdall validate runs it and records what it really does. Across a behavioral run of 200 packages, static analysis flagged 81% of the capabilities servers actually exercised at runtime — up from 76% after the first run's misses became a fix-list. Honest recall, openly reported, improving run over run. Validation run →
Heimdall kept the Bifröst — the bridge to Asgard — and could see to the ends of the nine realms. He let nothing cross unseen. This keeps the same watch over the bridge between your agent and the code it trusts.