Open Source

If you’re using Claude Desktop, Cursor, Windsurf, or any other AI tool with MCP servers, you’ve probably got API keys sitting in plain text config files, servers running unverified npm packages, and tool descriptions that could be manipulated to make your AI do things you didn’t intend. I know this because I built a tool that checks for exactly these problems, and every config I’ve pointed it at so far has had issues. ...

The Agent Stack #002 — Wednesday Stack I took 10 popular MCP servers, configured them exactly as their official READMEs tell you to, and ran a security scan. The score: 2 out of 100. Not because I misconfigured anything. Because the docs tell you to do things like this: { "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_your_token_here" } } Your GitHub PAT, sitting in a plain text JSON file that any application on your machine can read. ...