Free Tool
Your MCP configs are
leaking keys
Claude, Cursor, and Windsurf store API keys in plaintext JSON. No sandboxing. No permission model. Every MCP server can read every secret.
See it in action
What a real MCP config scan looks like.
What this means
MCP (Model Context Protocol) is how AI tools connect to external services. Every MCP server config needs credentials. Most developers put API keys directly in the JSON config file.
That means every AI agent with MCP access can read every key in every config. There is no sandboxing. There is no permission model. A compromised or malicious MCP server gets access to all your keys.
devsafe mcp-scan finds them. devsafe shield --mcp moves them to secure environment references so your configs keep working and your secrets stop being readable.
Move all 6 secrets to secure environment references.
devsafe shield --mcp replaces plaintext secrets with environment variable references. Your MCP configs keep working. Your secrets stop being readable.
Lockbox MCP Wrap rewrites your AI tool configs to pull secrets from an encrypted vault instead of plaintext JSON.
One command. All tools secured. Secrets never touch a config file again.
Works with Claude Code, Cursor, Windsurf, and Continue. Free forever.
Other free tools
devsafe scan
Find repos in cloud sync danger zones. iCloud, Dropbox, OneDrive, Google Drive.
devsafe diagnose
Find secrets your AI coding tools can read. Scans for exposed API keys and tokens.
devsafe health
One score for every risk factor. Git config, hooks, remote status, and backup health.
devsafe lockbox
Encrypted secret vault. Import .env files, inject at runtime, share with time-limited grants.