The tools your agents run are attack surface. Govern them.
Your developers' AI agents don't just write code — they load skills, subagents, MCP servers, and instruction files that hand them tools, permissions, and access to your systems. Any one can carry a hidden instruction to exfiltrate secrets or run destructive commands. Heeler discovers every agent artifact in use, scores how safe it is, and gates the malicious ones before your agents ever trust them.
You've onboarded thousands of unvetted insiders.
Every skill, MCP server, and agent config is an actor operating with your developers' access — copied from marketplaces and repos, trusted on sight, and updated out from under you at run time. Traditional AppSec never had to scan the prompt.
Instructions are executable
A skill is a directive your agent will follow with the permissions you've granted — one injected line turns a helper into an exfiltration tool.
Trusted on sight
Skills and MCP servers get copied from teammates and marketplaces and trusted without review. The malicious ones look exactly like the useful ones.
Shadow AI spreads
New agents, skills, and servers appear across your org faster than anyone catalogs them — you can't secure what you can't see.
A safety score for every artifact.
Heeler catalogs the skills, subagents, and MCP servers in use across your org and rates each from 0 to 100 — 100 is safest — with a plain verdict. You read the number, not the analysis.
0–100, 100 is safest
One score captures how much risk an artifact carries, so any skill or server can be compared, ranked, and gated at a glance.
Benign, suspicious, or malicious
Every artifact resolves to one of three verdicts, backed by the evidence that earned it.
At-risk below 70
Anything under 70 is flagged at-risk — the line where human review, or a hard gate, begins.
A live catalog
Discovery keeps an inventory of every agent artifact in use, so shadow skills and servers can't hide.
What a hostile skill actually does.
Two passes on every artifact: a static read of the literal content, and an isolated model that reasons about intent the way an attacker would — neither running inside your agent, neither able to be talked out of its verdict.
Eleven attack categories
From prompt injection and data exfiltration to destructive commands and tool abuse — the concrete ways an artifact turns hostile.
Follows the trail off-machine
External-reference tiering scores every host an artifact reaches, so a skill phoning home to an unknown domain stands out.
Injection-hardened
The judge runs behind a nonce barrier, so instructions hidden in the artifact can't hijack the analysis or forge a clean verdict.
Verbatim evidence
Every verdict quotes the exact lines that triggered it — proof you can read, not a black-box score.
Vet before they run.
A score only helps if it lands before the artifact is trusted. Heeler checks on demand and lets your own pipelines gate on the result.
On demand or cataloged
Score a single artifact synchronously through the API, or continuously catalog everything in use across the org.
Your pipeline owns the gate
Your CI calls the API and decides — block, warn, or record. Heeler supplies the verdict and the evidence; you set the policy.
Skills and MCP alike
Coverage spans agent skills, subagents, instruction files, and the MCP servers your agents connect to.
Know what your agents are running.
A demo scores the skills, subagents, and MCP configs already in your environment — and shows you the ones your agents should never have trusted.
