Heimdall — Mcp Security Scanner
@caglarbozkurt
About Heimdall — Mcp Security Scanner
Security scanner for MCP servers — vet an MCP before you wire it into an agent. Detects prompt-injection, credential exfiltration (via taint analysis), RCE, and supply-chain risks, and catches cross-server exfil chains no single server reveals. Zero-dependency local CLI, SARIF ou
Basic information
Category
Developer Tools
License
MIT
Runtime
node
Transports
stdio
Publisher
caglarbozkurt
Submitted by
Çağlar Bozkurt
Config
Add this server to your MCP-compatible client using the configuration below.
{
"mcpServers": {
"heimdall": {
"command": "npx",
"args": [
"-y",
"--package",
"mcp-heimdall-scan",
"heimdall-mcp"
]
}
}
}Tools
No tools detected
We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.
Overview
What is Heimdall — Mcp Security Scanner?
Heimdall is a local, pre-flight security scanner for Model Context Protocol (MCP) servers. It vets a single server or an entire agent configuration before an agent trusts it, without running the server by default, and requires no account or backend.
How to use Heimdall — Mcp Security Scanner?
Use the CLI via npx mcp-heimdall-scan <target> or install globally. Targets include npm/PyPI packages, local directories, git repositories, a tools/list dump, or an MCP client config file (e.g., claude_desktop_config.json). Options like --policy, --online, --json, and --sarif customize the scan. It also ships as a GitHub Action and as an MCP server itself.
Key features of Heimdall — Mcp Security Scanner
- Static analysis without executing server code.
- Detects injection, capability, exfiltration, provenance, and CVEs.
- Proven data-flow paths for JS/TS (file:line evidence).
- Audits whole agent configs for cross-server exfiltration chains.
- Policy-based verdicts (default, strict, custom waivers with expiry).
- Runs entirely locally, no account or backend needed.
Use cases of Heimdall — Mcp Security Scanner
- Vet a server package before installing it in your agent.
- Audit your entire MCP client config (e.g.,
claude_desktop_config.json) for cross-server risks. - Gate pull requests in CI using the GitHub Action to fail on risky servers.
- Use the MCP server mode to let your agent scan a server before connecting to it.
- Run behavioral validation (
heimdall validate) in a disposable VM to check static findings against runtime behavior.
FAQ from Heimdall — Mcp
More Developer Tools MCP servers
nuxt-mcp / vite-plugin-mcp
antfuMCP server helping models to understand your Vite/Nuxt app better.
MCP-Scan: An MCP Security Scanner
invariantlabs-aiSecurity scanner for AI agents, MCP servers and agent skills.
Burp Suite MCP Server Extension
PortSwiggerMCP Server for Burp
Smithery CLI
smithery-aiInstall, manage and develop MCP servers and skills for agents
MCP-Bridge
SecretiveShellA middleware to provide an openAI compatible endpoint that can call MCP tools
Comments