MCP Credential & Secrets Exposure

📄

Config File

mcp.json

Plaintext

~/.cursor/mcp.json

{
  "mcpServers": {
    "github": {
      "env": {
        "GITHUB_TOKEN": "ghp_a1b2c3..."
      }
    },
    "slack": {
      "env": {
        "SLACK_BOT_TOKEN": "xoxb-123..."
      }
    },
    "postgres": {
      "env": {
        "DATABASE_URL": "postgres://..."
      }
    }
  }
}

⚠️ Risk

3 credentials in plaintext, readable by any process

Readable

🔧

MCP Servers

Connected Services

Running

Active Credentials

🐙 GITHUB_TOKEN Exposed

💬 SLACK_BOT_TOKEN Exposed

🗄️ DATABASE_URL Exposed

🔌 Status

All servers connected and operational

Normal

🎭

Threat Vector

Attack Surface

Dormant

Potential Access

# Config file is world-readable
# Any process can access:

~/.cursor/mcp.json
~/.claude/config.json
~/claude_desktop_config.json

# No encryption
# No access controls
# No audit logging

🎯 Attack Surface

Config files readable by any local process