How to Scan MCP Skills for Hard-Coded Secrets

You've probably already set up at least one MCP server. You found a config example somewhere — maybe in the Cursor docs, maybe in a GitHub issue, maybe copy-pasted from a colleague's setup.

Somewhere in that setup chain, a secret may have moved to the wrong place.

Hard-coded API keys inside MCP skill definitions, config files, or tool descriptions are one of the most common and least visible security issues in AI agent deployments right now. Microsoft's security team called it out as a top-10 risk in their Copilot Studio analysis. GitHub responded by shipping push protection specifically for MCP server interactions at the infrastructure level. And at least one popular AI coding tool is displaying raw API keys in plain output when users run /mcp.

The problem is structural: MCP documentation is split across every client (Cursor, Claude Code, Codex, GitHub Copilot), every remote server ships its own setup guide, and there's no cross-client standard for secret hygiene in shared configs. Teams inherit this fragmentation and don't know where to look. If you want to understand how this connects to the broader landscape of AI agent attack types, credential exposure is one of eleven documented vectors — and it's among the most operationally invisible.

---

Why Hard-Coded Secrets End Up in MCP Skills

MCP skills are often shared across team members through committed config files — .mcp.json in Claude Code, .cursor/mcp.json in Cursor, config.toml in Codex. When someone copies a working example with an API key or PAT already in the headers or env block, that key travels with the file.

Three places where secrets tend to get embedded:

This is where the credential theft risk documented in the Agents of Chaos study becomes concrete — not a sophisticated attack, just friction in the setup process turning into a leaked key sitting in a shared config file.

---

How SkillShield Scans for Embedded Credentials

SkillShield's static analysis engine runs each skill through a multi-layer classification pipeline that includes dedicated pattern matching for secrets. This covers:

• API key patterns — format-matched against known providers (OpenAI, Anthropic, GitHub, AWS, Stripe, and more)
• Token formats — OAuth tokens, PATs, bearer strings embedded in descriptions or config sections
• Environment variable leakage — cases where env vars have been expanded before the skill was packaged and committed

When SkillShield flags a skill for embedded credentials, the risk report shows:

• The skill name and source marketplace
• The matched pattern type (API key, PAT, bearer token, etc.)
• The field where it was found (description, tool spec, env block)
• A recommended remediation path

You don't have to read through 33,000 skill definitions by hand. SkillShield surfaces the ones that need your attention.

For a broader comparison of how SkillShield stacks up against other MCP scanning tools, see the MCP Security Scanner Comparison 2026.

---

Running Your First MCP Secret Scan

Start with any skill connected to external APIs — GitHub, Stripe, Slack, or custom endpoints are the highest-priority targets.

# Scan a specific skill from a marketplace URL
npx skillshield scan https://clawhub.com/skills/example

# Scan a local skill definition
npx skillshield scan ./my-skill/

# Filter results by credential findings only
npx skillshield scan ./my-skill/ --category credentials

A practical workflow for a first audit:

1. Scan your active skill set — start with any skill connected to external APIs
2. Review the credential flags first — filter by risk category for fastest triage
3. Check your MCP config files separately — SkillShield scans skill manifests; your .mcp.json / config.toml files should also be reviewed against your team's secret-storage policy
4. Rotate any confirmed exposed keys immediately — if a key has been in a shared config file, assume it's compromised and rotate before removing it from the file

Rotation before removal matters. Removing the key from a file doesn't invalidate it — if the file was ever committed or shared, the key was already exposed. Rotate first, then clean.

---

What SkillShield Finds That Static Git Scanning Misses

Standard git secret scanners (like GitHub's push protection, gitleaks, or trufflehog) catch secrets in code repositories. They watch commits, PRs, and file history.

But MCP skill definitions don't always live in repos. They're pulled from marketplaces, shared via config links, or distributed through tool registries that sit entirely outside your git history. A developer can install a marketplace skill, configure it with a key, and that configuration never touches version control.

SkillShield is the scanner that covers the surface git tools don't see: the skills themselves, wherever they came from.

---

The Bigger Picture

Three signals converged in early 2026 to make this more than a theoretical concern:

1. Microsoft's Security Blog (Feb 2026) listed hard-coded credentials as a top-10 AI agent risk in their Copilot Studio security analysis
2. GitHub shipped push protection specifically for the GitHub MCP server — treating MCP-sourced secret leaks as a real threat worth blocking at the infrastructure level
3. Developers are actively reporting that tools like Codex display raw API keys in /mcp output instead of masking them (Codex issue #5524, March 2026)

Microsoft named hard-coded credentials a top-10 AI agent risk. GitHub built push protection for MCP server interactions. These aren't future concerns — they're signals that the industry is moving fast to close a gap that exists right now in most AI agent deployments.

Scanning your MCP skills for embedded secrets is the first step to not being caught on the wrong side of that gap when it closes.