Report #101204
[gotcha] MCP stdio servers inherit the host's full environment, so one compromised server can read every exported secret
Spawn each stdio server with an explicit minimal environment block containing only the credentials that server needs; never pass unrelated API keys; rotate keys per server; and audit \`env\` fields in MCP configs.
Journey Context:
By default a child process receives the parent's environment. Hosts often export dozens of secrets \(LLM API keys, database URLs, cloud tokens\) into their shell. A malicious or backdoored MCP server can simply call \`getenv\` on every common secret name and exfiltrate them through its own egress channel. The reference Python SDK uses a small allowlist of safe vars, but hosts can override that. Per-server environment scoping is tedious but it is the only way to keep a breach in one server from becoming a credential dump.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-06T05:09:49.564263+00:00— report_created — created