74
/ 100
1 month ago
glama

heor-agent-mcp

AI-powered HEOR (Health Economics and Outcomes Research) MCP server with 7 tools for literature search across 41 medical data sources, cost-effectiveness modeling (Markov/PartSA/PSA), and HTA dossier preparation for NICE, EMA, FDA, IQWiG, HAS, and EU JCA submissions.

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings
🚨
Secret credentials may flow to a network call
5 flows detected: CITELINE_API_KEY, COCHRANE_API_KEY, CORTELLIS_API_KEY. We can’t prove the destination matches the brand the credential belongs to.
⚠️
Known vulnerabilities in dependencies: 2 high
Affects packages this MCP installs at runtime. Upgrade or remove the affected dependency.
🔐
You'll be asked for 10 credentials: COCHRANE_API_KEY, CORTELLIS_API_KEY, ELSEVIER_API_KEY, ELSEVIER_INST_TOKEN, HEOR_API_KEY, MCP_AUTH_TOKEN, OPENFDA_API_KEY, PHARMAPENDIUM_API_KEY, POSTHOG_API_KEY, SERPAPI_KEY
These are read from process.env at runtime. Make sure you trust where they’ll be sent.
// known CVEs in dependencies2 high

Disclosed vulnerabilities in this server's declared npm dependencies (via OSV). Whether each is reachable depends on the installed versions.

high@modelcontextprotocol/sdk@1.0.0GHSA-8r9q-7v3j-jr4g

Anthropic's MCP TypeScript SDK has a ReDoS vulnerability

high@modelcontextprotocol/sdk@1.0.0GHSA-w48q-cv73-mx4w

Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default

Depend on this server? Get alerted when its CVEs change.Watch this server free →
// required environment variables
This server reads these from process.env. You'll be asked to provide them before it can run.
configAZURE_STORAGE_CONNECTION_STRING
configAZURE_STORAGE_CONTAINER
🔐 secretCOCHRANE_API_KEYCochrane Library
🔐 secretCORTELLIS_API_KEY... # Cortellis
🔐 secretELSEVIER_API_KEYScienceDirect
🔐 secretELSEVIER_INST_TOKEN
🔐 secretHEOR_API_KEY
configHEOR_ENABLE_INTERNAL_CLAIMS
configHEOR_KB_ROOT~/.heor-agent # Default
configHEOR_PROXY_URL
🔐 secretMCP_AUTH_TOKEN
configMCP_CORS_ORIGINS
configMCP_HTTP_PORT8080 npx heor-agent-mcp@latest
configMCP_MAX_SESSIONS
configMCP_SESSION_TTL_MS
configMCP_URL
🔐 secretOPENFDA_API_KEY
🔐 secretPHARMAPENDIUM_API_KEYPharmapendium
🔐 secretPOSTHOG_API_KEY
🔐 secretSERPAPI_KEYGoogle Scholar
// full audit trail
The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.
// improvement guidance — verified publishers only
We have 2 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.
// embed badge in your README
[![M8ven Score](https://m8ven.ai/badge/mcp/neptun2000-heor-agent-mcp-zjy5jq)](https://m8ven.ai/mcp/neptun2000-heor-agent-mcp-zjy5jq)
commit: 59cfac94106301326e864c017786dee0fad7f3d4
code hash: e8c085eb8d836b4d6ab5a7226789a25fbb6b6c60dabc3bd7172381e02643a539
verified: 6/17/2026, 12:01:00 PM
view raw JSON →