AI agent's API keys are sitting in plaintext

53% of MCP servers store API keys as plaintext in config files. They get committed to git, shared across machines, exposed in breaches.

MCPGuard is a local-first CLI that: - Scans your MCP configs for plaintext credentials - Migrates them to your OS keychain (macOS/Linux/Windows) - Replaces values with mcpguard:// references - Injects credentials at runtime — never on disk

One command to audit, one to migrate. No cloud, no account, free and open source.