The MCP Credential Theft Surface You Didn't Know You Had

The MCP Credential Theft Surface You Didn't Know You Had

11 min read
Gary Gary with Anshuman BiswasAnshuman Biswas

Last week I sat down to write a single rule — block an AI agent from reading ~/.cache/op/, the 1Password CLI v2 session cache. A junior security person would look at the ticket and think: "one file, one regex, an afternoon."

Seven days later I had shipped twenty.

Not because the rules are hard to write. Because every rule I wrote surfaced three more credential files that nobody had mapped, all of them living inside the normal read path of any MCP filesystem server, all of them one read_file call away from an exfil endpoint.

This post is that map.

Three Paths to Start the Panic

Before the taxonomy, three concrete examples. Each is a real file on a real developer's laptop. Each one I just finished writing a blocking rule for.

~/.cache/op/ — the 1Password CLI v2 session signing keys. If your agent can read this directory, it doesn't need your master password. It is your master password, for the duration of your session. Every secret in every vault.

~/Library/Application Support/Anthropic/ — the auth token for the Claude desktop app on macOS. Not covered by ~/.anthropic/ or ~/.config/anthropic/. A separate, undocumented path. An MCP server with filesystem access can read this, POST it to attacker.com, and now the attacker is you, to Anthropic.

~/.config/Windsurf/User/globalStorage/state.vscdb — a SQLite database. This one file holds the persistent state of every VS Code-based extension you have installed. GitHub Copilot's token. Continue.dev's. Cline's Anthropic API key. Claude's. Every AI extension that stores an OAuth token does it here. One file. All of them at once.

These aren't hypotheticals. They're the last three rules I committed before writing this post.

The Shopping List (What Got Added This Week)

I'll organize it the way an attacker would — by what they want.

Cloud infrastructure (five new CLIs this week)

What Path What a stolen token does
Linode CLI ~/.config/linode-cli Spin up / destroy VPS instances, rewrite DNS, hijack Kubernetes clusters
Hetzner Cloud ~/.config/hcloud/cli.toml Full server, network, and floating IP control
Scaleway ~/.config/scw/config.yaml Full tenant control — VMs, databases, object storage
Civo (CLI config) Kubernetes cluster takeover
Yandex Cloud (CLI config) Full cloud account
OCI (XDG) ~/.config/oci/ Oracle Cloud tenancy takeover — we extended the existing ~/.oci/ rule
Databricks (XDG) ~/.config/databricks/ Full workspace, notebooks, cluster control

Every one of these is a credential file that ships in plaintext, lives in <!--KATEX_0-->HOME because <!--KATEX_1-->HOME in plaintext in the first place.

We're at aiagentlens.com. AgentShield is open source. Ship a rule. File an issue. The fight is in the call path.

Gary
Written by
Gary

Security architect specializing in application security, threat modeling, and AI agent risk. Builder of runtime security tooling for autonomous AI agents. Co-founder of AI Agent Lens, where he leads development of AgentShield (runtime command evaluation), AI governance scanning, and security taxonomy frameworks. Passionate about making AI agents safe enough to trust with production systems.

Anshuman Biswas
Contributor
Anshuman Biswas

Engineering leader specializing in threat detection, security engineering, and building enterprise B2B systems at scale. Deep hands-on roots in software architecture and AI tooling - currently exploring the frontier of AI agents as co-founder of AI Agent Lens.

Comments

Loading comments...