MCP.so
Sign In

Heimdall — Mcp Security Scanner

@caglarbozkurt

About Heimdall — Mcp Security Scanner

Security scanner for MCP servers — vet an MCP before you wire it into an agent. Detects prompt-injection, credential exfiltration (via taint analysis), RCE, and supply-chain risks, and catches cross-server exfil chains no single server reveals. Zero-dependency local CLI, SARIF ou

Basic information

Category

Developer Tools

License

MIT

Runtime

node

Transports

stdio

Publisher

caglarbozkurt

Submitted by

Çağlar Bozkurt

Config

Add this server to your MCP-compatible client using the configuration below.

{
  "mcpServers": {
    "heimdall": {
      "command": "npx",
      "args": [
        "-y",
        "--package",
        "mcp-heimdall-scan",
        "heimdall-mcp"
      ]
    }
  }
}

Tools

No tools detected

We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.

Overview

What is Heimdall — Mcp Security Scanner?

Heimdall is a local, pre-flight security scanner for Model Context Protocol (MCP) servers. It vets a single server or an entire agent configuration before an agent trusts it, without running the server by default, and requires no account or backend.

How to use Heimdall — Mcp Security Scanner?

Use the CLI via npx mcp-heimdall-scan <target> or install globally. Targets include npm/PyPI packages, local directories, git repositories, a tools/list dump, or an MCP client config file (e.g., claude_desktop_config.json). Options like --policy, --online, --json, and --sarif customize the scan. It also ships as a GitHub Action and as an MCP server itself.

Key features of Heimdall — Mcp Security Scanner

  • Static analysis without executing server code.
  • Detects injection, capability, exfiltration, provenance, and CVEs.
  • Proven data-flow paths for JS/TS (file:line evidence).
  • Audits whole agent configs for cross-server exfiltration chains.
  • Policy-based verdicts (default, strict, custom waivers with expiry).
  • Runs entirely locally, no account or backend needed.

Use cases of Heimdall — Mcp Security Scanner

  • Vet a server package before installing it in your agent.
  • Audit your entire MCP client config (e.g., claude_desktop_config.json) for cross-server risks.
  • Gate pull requests in CI using the GitHub Action to fail on risky servers.
  • Use the MCP server mode to let your agent scan a server before connecting to it.
  • Run behavioral validation (heimdall validate) in a disposable VM to check static findings against runtime behavior.

FAQ from Heimdall — Mcp

Comments

More Developer Tools MCP servers