Free Tools Pricing
Log in Sign up →

Free Tool

Your MCP configs are
leaking keys

Claude, Cursor, and Windsurf store API keys in plaintext JSON. No sandboxing. No permission model. Every MCP server can read every secret.

$ npx devsafe mcp-scan click to copy

See it in action

What a real MCP config scan looks like.

6
Secrets exposed
Production API keys in plaintext JSON. Any MCP agent can read these.
3
Tips
Per-config tips to move secrets to environment references.
1/3
Configs leak
2 of 3 scanned configs had hardcoded credentials in plaintext.
$0
Free
No account. Runs locally. No network calls. Just JSON parsing.

What this means

MCP (Model Context Protocol) is how AI tools connect to external services. Every MCP server config needs credentials. Most developers put API keys directly in the JSON config file.

That means every AI agent with MCP access can read every key in every config. There is no sandboxing. There is no permission model. A compromised or malicious MCP server gets access to all your keys.

devsafe mcp-scan finds them. devsafe shield --mcp moves them to secure environment references so your configs keep working and your secrets stop being readable.

Fix it

Move all 6 secrets to secure environment references.
devsafe shield --mcp replaces plaintext secrets with environment variable references. Your MCP configs keep working. Your secrets stop being readable.

devsafe shield --mcp
Or vault them

Lockbox MCP Wrap rewrites your AI tool configs to pull secrets from an encrypted vault instead of plaintext JSON.
One command. All tools secured. Secrets never touch a config file again.

$ devsafe lockbox wrap-mcp --all click to copy

Works with Claude Code, Cursor, Windsurf, and Continue. Free forever.

Newsletter

Stay ahead of threats

Research, threat intel, and tutorials. We only publish when we have something worth your time.

No spam. Unsubscribe anytime.

What topics interest you?

Threats
Tutorials
Engineering
AI Security
Product
Everything

Skip this step