Skip to main content
Glama
heronsec

Heron

Official
by heronsec

Heron — security for what your AI agent runs

Heron

Heron gives a signed, 0–100 trust score for what an AI agent actually runs — the skills it installs, the MCP servers it connects to, and the agent itself under red-team. Every scan is free, every result is wallet-signed (EIP-191), and the scoring methodology is public.

A SKILL.md is an unsigned binary: you install it and your agent runs whatever it says. An MCP server's tool names and descriptions are injected straight into your context, so your agent will obey instructions hidden there ("tool poisoning"). Almost none of it is checked before it runs. Heron checks it.

  • Website: https://heronapp.io

  • Remote MCP endpoint: https://heronapp.io/mcp

  • In the official MCP registry as io.heronapp/heron

Add it (no key, no payment)

Remote server — one line, nothing to install:

claude mcp add --transport http heron https://heronapp.io/mcp

Or add it to any MCP client config:

{
  "mcpServers": {
    "heron": {
      "type": "streamable-http",
      "url": "https://heronapp.io/mcp"
    }
  }
}

Prefer to run it locally (stdio)? It's a thin client over the public API:

pip install -r requirements.txt
python heron_mcp.py

Related MCP server: Mund

Tools

Security (the core):

Tool

What it answers

heron_skill_scan

Is this SKILL.md safe to run before I install it?

heron_mcp_scan

Is this MCP server safe to connect before I add it?

heron_agent_redteam

How injection-resilient is this agent's system prompt?

heron_inspect

Inspect untrusted text (user msg, tool output, RAG doc, email) at runtime — allow/flag/block before your agent trusts it

heron_agent_posture

One signed 0-100 security posture for a whole agent — its system prompt, skills, and MCP servers, combined with a weakest-link rule

heron_agent_identity

An agent's wallet-signed passport + portable attestations

heron_trust_index

The public index of already-scanned skills

heron_verify_attestation

Verify a Heron signature yourself (EIP-191) — no trust required

heron_methodology

The open scoring rules, weights and formula

Each scan returns a 0–100 score, a verdict (trusted / caution / dangerous), the specific findings (remote code execution, secret/credential access, data exfiltration, tool poisoning, prompt-injection, obfuscated payloads — Morse, base64, invisible Unicode, homoglyphs), and a wallet-signed attestation anyone can verify.

Why signed, and why open

A signature proves integrity, not correctness — it proves Heron's wallet scored this exact input, and nobody altered the result. Correctness comes from the method being public and auditable. So both are open: read the methodology, verify the signature, and don't trust a score you can't check.

Reputation is built from real, signed results an agent binds to its identity — not a popularity contest, which is gameable.

Badge

Show what your agent runs is checked. Free, links back to Heron:

[![Heron](https://heronapp.io/badge.svg)](https://heronapp.io)

Scanned a specific skill or MCP server? Its detail page carries a live-score badge: https://heronapp.io/badge/skill/<hash>.svg.

About

Heron is a security layer for the agent economy, operated under İçerikçi Medya. Free to use; the methodology is published; contributions and threat reports are welcome — open an issue or reach hello@heronapp.io.

License

MIT — see LICENSE.

A
license - permissive license
-
quality - not tested
C
maintenance

Maintenance

Maintainers
Response time
Release cycle
Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/heronsec/heron-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server