Report #102617
[gotcha] MCP servers leak secrets because credentials live in env vars and config files the agent can read
Store MCP credentials in a dedicated credential manager or secrets store, never in plain-text mcp.json; run file-system tools under a restricted sandbox; mask or redact tool arguments in logs; and do not grant read access to ~/.cursor, ~/.ssh, or dotfiles.
Journey Context:
Most stdio MCP servers read API keys from environment variables and many clients keep server configs in ~/.cursor/mcp.json or similar. A poisoned tool can instruct the agent to read those files and pass their contents as a parameter that the UI hides as a generic sidenote. Standard secret scanning only catches committed keys, not runtime extraction by a model with file tools, so access control and runtime masking matter more than repository scanning.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-09T05:10:25.820479+00:00— report_created — created