PitchHut logo
Log in / Sign up
The 1Password for MCP servers, securing AI agent credentials.
Preview url
Visit project
Pitch

MCPGUARD is a local-first CLI tool designed to eliminate the risks of plaintext API keys in MCP config files. By securely migrating credentials to your OS keychain, it ensures that sensitive information is never written to disk. Easily audit, migrate, and manage your credentials to maintain the integrity of your systems.

Description

MCPGUARD - The 1Password for AI Agents

MCPGUARD is a powerful solution designed to enhance the security of your MCP (Model Context Protocol) server credentials. By replacing plaintext API keys in configuration files with secure, encrypted vault references, MCPGUARD ensures that sensitive information remains protected in your operating system's keychain and is never stored in plaintext on disk.

Addressing a Critical Security Issue

A significant percentage of MCP servers (53%) currently use plaintext API keys, leading to serious security vulnerabilities:

  • Exposure through accidental commits to git repositories.
  • Risk of sharing sensitive information across multiple machines.
  • Increased likelihood of data breaches, with over 8,000 MCP servers found publicly accessible on the internet.

Key Features of MCPGUARD

  • Local-First CLI Tool: Operate securely without requiring cloud synchronization or network connectivity.
  • Automated Auditing: Effortlessly scan MCP configuration files for plaintext credentials with the mcpguard audit command.
  • Seamless Migration: Convert plaintext credentials to secure vault references with the mcpguard migrate command, ensuring credentials are securely stored in the OS keychain.
  • Secure Credential Management: Add, list, and manage credentials effectively, protecting access without exposing sensitive information.

Usage Examples

  • Audit existing configurations:

    mcpguard audit

  • Migrate plaintext credentials to the vault:

    mcpguard migrate

  • Add a new credential manually:

    mcpguard add github

How It Works

MCPGUARD operates by scanning for and identifying plaintext credentials and then storing these credentials securely using:

  • OS Keychain: Credentials are encrypted and stored in the operating system's secure storage (macOS Keychain, Linux Secret Service, or Windows Credential Manager).
  • AES-256 Encryption: For credentials not placed in keychains, fallback AES-256 encryption ensures continued security.

Supported Configurations

MCPGUARD can automatically scan and secure credentials from various MCP configuration files, including:

  • Claude Desktop: ~/.config/claude/claude_desktop_config.json
  • Cursor: ~/.cursor/mcp.json

Security and Development Principles

  • No secrets written to disk
  • Transparency through open-source development
  • Free to use, with ongoing improvements and new features planned for future releases

Future Development

The roadmap includes anticipated features such as OAuth flows, team vaults, CI/CD integration, and more, aimed at creating a comprehensive security framework for all AI-related operations.

MCPGUARD is essential for any user leveraging the MCP landscape, providing a secure, efficient means to manage credentials while safeguarding against the risks posed by plaintext storage. For more information or to contribute, please visit the MCPGUARD GitHub repository.

0 comments

No comments yet.

Sign in to be the first to comment.