Security scanner for MCP servers — vet an MCP before you wire it into an agent. Detects prompt-injection, credential exfiltration (via taint analysis), RCE, and supply-chain risks, and catches cross-server exfil chains no single server reveals. Zero-dependency local CLI, SARIF output, CI-gateable, no account.
<div align="center"> <img src="assets/logo.svg" width="84" alt="Heimdall" /> **The watchman at your agent's gate.** A security scanner for **Model Context Protocol (MCP) servers** — vet a server, or a whole agent config, before your agent trusts it. </div> --- MCP servers are unvetted code with a natural-language attack surface: their tool