MCP_NO_CREDENTIAL_LEAK
Verify MCP server configurations do not contain plaintext secrets, API keys, or embedded credentials.
Framework Mappings
OWASP Agentic ASI04 — Supply Chain Vulnerabilities
Agent Frameworks Scanned
Claude CodeMCP
Evaluation Facets
01
No Plaintext Secrets in Config
RequiredWeight: 0.45
Pass:No API keys, tokens, or passwords in MCP env configs
Fail:Plaintext secrets detected in configuration
02
Environment Variable References
RequiredWeight: 0.3
Pass:Secret values use ${VAR} or $VAR references
Fail:Secret-like keys have hardcoded literal values
03
No Secrets in Connection Strings
Weight: 0.25
Pass:No embedded credentials in database URLs
Fail:Connection strings with embedded user:password patterns
Remediation Steps
- 1Replace all hardcoded secrets with environment variable references
- 2Use a secret manager for sensitive configuration
- 3Remove credentials from database connection strings
Evaluate this control automatically
Connect your repos and Brigs evaluates MCP_NO_CREDENTIAL_LEAK across all your agent configurations.
Get Started — Free