MCPSafe.io
RegistryThreatsMethodologyDocsPricingScanSign in
MCPSafe.io

Security checks for MCP servers β€” public packages and private repos, fast or deep.

Legal

Privacy PolicyCookie PolicyTerms of ServiceSecurity disclosure

Resources

State of MCP SecuritySupportSystem statusMade in Germany πŸ‡©πŸ‡ͺ

Β© 2026 MCPSafe. All rights reserved.

GDPR β€” Privacy Policy
← Threat Catalog

Server Implementation

Secrets committed to source

CRITICALAIVSS 8.9CWE: CWE-798OWASP: LLM02Agentic: T09Rule: MCP-030

API keys, OAuth tokens, database passwords, or private keys are hardcoded in the package's source or configuration files, so installing the server installs the credential too. Scoped to source files; the same shape inside `.env` files is covered by MCP-210.

What it is

A secret checked into git is a secret published to the world. The attack is as simple as `git clone` and `grep`. Removing the secret later does not fix it because the value lives on in history, in every fork, and in every mirror. The canonical shapes are `AKIA…` AWS keys, `ghp_…` GitHub PATs, `sk_live_…` Stripe keys, `xox[bap]-…` Slack tokens, and PEM-formatted private keys.

Why it matters for MCP

MCP servers frequently need credentials to talk to backend APIs β€” GitHub, Slack, databases, cloud providers. Authors reach for the easiest option (drop the key in a constant, or in a `.env.example` that somehow became `.env`) because it works during development. When the repo is made public or installed by another user, the credential goes with it, granting whoever installed the package access to the author's real accounts.

Vulnerable example

example.py
1
# config.py β€” committed to the public repo
2
STRIPE_SECRET = "sk_live_4eC39HqLyjWDarjtT1zdp7dc"
3
AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
4
GITHUB_TOKEN = "ghp_abcdef1234567890abcdef1234567890abcd"

Secure example

example.py
1
# config.py β€” reads from environment; nothing sensitive at rest in the repo.
2
import os
3
4
STRIPE_SECRET = os.environ["STRIPE_SECRET"]
5
AWS_SECRET_ACCESS_KEY = os.environ["AWS_SECRET_ACCESS_KEY"]
6
GITHUB_TOKEN = os.environ["GITHUB_TOKEN"]
7
8
# In production, load these from a secrets manager (AWS SSM, Vault, 1Password
9
# Connect, etc.) and rotate aggressively. Never commit an .env with real values.
How MCPSafe detects this
We match canonical credential prefixes (AWS `AKIA`, GitHub `ghp_`/`gho_`, Stripe `sk_live_`, Slack `xox[bap]-`, Google `AIza`), PEM private-key headers, and high-entropy base64 assigned to variables named `api_key`, `secret`, `token`, or `password`. Common placeholder values (`xxx`, `changeme`, `your-key`, `<REDACTED>`) are excluded to keep the false-positive rate low.
See the full threat catalog for every documented detection.
Framework alignment
OWASP LLM Top-10 (2025)
LLM02 β€” Sensitive Information Disclosure
OWASP Agentic AI Top-10
T09 β€” Identity Spoofing
AIVSS v0.5
8.9 (HIGH)AIVSS:1.0/S:HIGH/AV:N/AU:N/BR:H/CD:D
Further reading
  • CWE-798: Use of Hard-coded Credentials
  • GitHub: Secret scanning
Scan an MCP server for this issue
MCPSafe runs this check β€” and every other rule in the catalog β€” on any MCP server you paste in.
Scan now