53% of MCP server configurations store API keys in plaintext. That statistic comes from MCPGUARD, a new open-source CLI tool built to fix the problem, and it lines up with a February 2026 scan that found over 8,000 MCP servers publicly accessible on the internet.
The Model Context Protocol (MCP) is the standard that lets AI assistants like Claude Desktop and Cursor connect to external tools and data sources. Each connection typically needs an API key, and right now, most people store those keys directly in their MCP config files as plain text. That means your credentials for databases, code repositories, cloud services, and SaaS tools are sitting in a JSON file that's easy to accidentally commit to GitHub, share across machines, or expose in a breach.
How MCPGUARD Works
The tool runs a three-step process. First, it audits your MCP configuration files to find every exposed credential. Then it migrates those secrets into your operating system's native keychain - macOS Keychain, Windows Credential Manager, or Linux Secret Service. Finally, it replaces the plaintext values in your config with mcpguard:// references that point to the encrypted vault.
At runtime, MCPGUARD injects the real credentials from the keychain back into environment variables so your MCP servers work exactly as before. The secrets just never touch the disk in readable form.
For machines without a keychain available, it falls back to AES-256 encryption (the same standard used by banks and governments for classified data).
A Growing Attack Surface
The timing matters here. MCP adoption has accelerated fast in early 2026, with hundreds of new servers published every week. Many of these are built by developers who are focused on functionality, not security hygiene. The result is a sprawling collection of config files containing keys for Stripe, AWS, GitHub, Slack, and dozens of other services - all readable by anyone with file system access.
MCPGUARD auto-detects standard config locations for Claude Desktop, Cursor, and generic MCP setups. It's MIT-licensed and runs entirely locally with no cloud component. If you're running any MCP servers, running mcpguard audit is a reasonable first step to see what's exposed.