THRONE
See report Verify server

registry / record

@heroku/mcp-server

npm / sealed 2026-06-13 / No. 0cfad3fb

re-scan this server gate it in your CI
> throne registry @heroku/mcp-server sealed
receiptsealed evidence
scan id
0cfad3fb66424627876a52787db6f6d6
target
@heroku/mcp-server
sealed at
2026-06-13 03:47:50Z
evidence hash
sha256:279d4d716b360d53a71996c47b98bd24c2b36a3b67dcc960dcf28e2b16b496c3
01connectPASS1.2s

initialize ok: server Heroku MCP Server 1.2.3, negotiated protocolVersion 2025-11-25, capabilities ['resources', 'tools']

02discoverPASS12ms

supported: tools/list (33 tools), resources/list (1); method not found (tolerated): prompts/list

03validate_schemasPASS11ms

all 33 tool inputSchemas are valid JSON Schema

04smoke_test_toolsFAIL0ms

TimeoutError:

05error_handlingFAIL0ms

TimeoutError:

06streamingFAIL0ms

TimeoutError:

07resource_lifecycleFAIL0ms

TimeoutError:

08concurrent_callsFAIL0ms

TimeoutError:

09reconnectFAIL0ms

TimeoutError:

01connectPASS21.0s

initialize ok: server Heroku MCP Server 1.2.3, negotiated protocolVersion 2025-11-25, capabilities ['resources', 'tools']

02discoverPASS328ms

supported: tools/list (33 tools), resources/list (1); method not found (tolerated): prompts/list

03validate_schemasPASS233ms

all 33 tool inputSchemas are valid JSON Schema

04smoke_test_toolsFAIL0ms

TimeoutError:

05error_handlingFAIL0ms

TimeoutError:

06streamingFAIL0ms

TimeoutError:

07resource_lifecycleFAIL0ms

TimeoutError:

08concurrent_callsFAIL0ms

TimeoutError:

09reconnectFAIL0ms

TimeoutError:

chatgpt desktopemulation profile pending real-traffic captureCOMING SOON
SECURITY: REVIEW / 4 finding(s), 1 high / review material, not a verdict
LOWTHR-INSTALL-03 / Install-time script execution (npm lifecycle)

"prepare" runs on git-dependency installs and local dev (not registry installs): 'husky'

package/package.json
HIGHTHR-EXEC-04 / Arbitrary command execution from tool arguments

spawn() called with a dynamically built command (heuristic — review): 'cliCommand, cliArgs, {'

package/dist/repl/heroku-cli-repl.js:168
MEDIUMTHR-EXEC-04 / Arbitrary command execution from tool arguments

execSync() called with a dynamically built command (heuristic — review): '`git remote add heroku-${result.name} ${app.git_url}`, { cwd: rootUri });'

package/dist/tools/deploy-to-heroku.js:247
LOWTHR-NET-05 / Hardcoded outbound endpoints

2 non-local endpoint host(s) referenced in code — verify each is expected for this server's purpose: api.heroku.com (package/dist/tools/deploy-to-heroku.js:85), devcenter.heroku.com (package/dist/resources/dev-center-resource.js:8)

package/dist/resources/dev-center-resource.js:8
VERDICT: NOT FIT TO SHIPSANDBOXED RUN — submitted server executed in a disposable microVM — compatibility: 12 fail / 0 warn across 2 clients / security: review — 4 finding(s), 1 highsealed by THRONE / No. 0cfad3fb / 2026-06-13
executed in a disposable microVM, created for this scan and destroyed after it. nothing outlives a run.

maintainer of this server? challenge this record: hello@usethrone.dev. tell us what we got wrong and we re-run it in the open.

this page renders the stored record of a real run. nothing on it is asserted without the execution that proved it.