Comment by julien-poitou

I was auditing my Claude Desktop config and realized my GitHub, Linear, and Notion API keys were sitting in plaintext in ~/.config/claude/claude_desktop_config.json

Anyone with read access to that file (malicious MCP server, compromised dependency, RCE) gets all your keys instantly.

MCPGuard fixes this: it scans your MCP configs, detects plaintext credentials, and migrates them to your OS keychain (macOS Keychain, Linux SecretService, Windows Credential Manager).

  $ mcpguard audit   # finds exposed keys
  $ mcpguard migrate # moves them to OS keychain

Your config file then has vault references instead of real keys. The credentials never touch disk again.

npm: npm install -g mcpguard-cli