Where they hide on a typical Mac
- Shell environment.
OPENAI_API_KEY,AWS_SECRET_ACCESS_KEY, and friends, exported in.zshrc/.bashrc, inherited by every agent process you launch. - Agent config and instruction files. Keys pasted into MCP server definitions,
settings.json,.cursorrules,CLAUDE.md,AGENTS.md, or a Codex config because it was the fast way to make something work. - MCP server credentials. Tokens an installed server holds so it can call its API. A trusted server holding a live token is a classic top finding. Trusted publisher, real risk — different axes.
- Project files. A
.envcommitted once, or sitting in a repo the agent has open.
The danger isn't only that a secret exists. It's the path: a secret an agent can read, plus an egress route, plus a prompt injection, is an exfiltration waiting for the right poisoned input. Dryx draws that path and marks it.
Free, in the first inspection: every secret your agents can reach, on Claude Code, Claude Desktop, Cursor, Codex CLI, Cline, GitHub Copilot, Windsurf, and Gemini — plus any MCP server. No paywall on the surface that gets people breached first.
Keep reading
Prompt injection in AI coding agents → Is this MCP server safe? → How the runtime authority works → ← Back to the Field Guide
Last updated: June 16, 2026 · Version 1.0