How do I find which secrets my AI agents can access?

Dryx inspects the AI agents you already run — Claude Code, Claude Desktop, Cursor, Codex CLI, Cline, GitHub Copilot, Windsurf, Gemini, plus any MCP server — and maps every secret each one can reach: shell environment, agent config and instruction files, MCP server credentials, and project files like a committed .env. It draws the reach so you can count what you could not count by hand.

Is checking for exposed secrets free in Dryx?

Yes. Secrets is the free layer. Dryx maps every secret your agents can reach in the first inspection, with no paywall on the surface that gets people breached first. The remaining six exposure surfaces and the deterministic action boundary are on Pro.

Can Claude Code, Cursor, or Codex read my API keys?

Q: Can Claude Code, Cursor, or Codex read my API keys?

Yes. AI agents inherit the shell environment they are launched from, so any key exported in your .zshrc or .bashrc — OPENAI_API_KEY, AWS_SECRET_ACCESS_KEY, and the rest — is readable by the agent process. They also read the config and instruction files you point them at, where keys are often pasted directly. Reachability is the default, not the exception.

Secrets exposure in Claude Code, Cursor, and Codex configs

Short answer: your AI agents can already read the keys in your shell environment and config files — and most developers have never counted them. Dryx maps every secret your agents can reach, free, in the first inspection. Secrets is the surface that's almost always larger than people think.

Where they hide on a typical Mac

Shell environment. OPENAI_API_KEY, AWS_SECRET_ACCESS_KEY, and friends, exported in .zshrc / .bashrc, inherited by every agent process you launch.
Agent config and instruction files. Keys pasted into MCP server definitions, settings.json, .cursorrules, CLAUDE.md, AGENTS.md, or a Codex config because it was the fast way to make something work.
MCP server credentials. Tokens an installed server holds so it can call its API. A trusted server holding a live token is a classic top finding. Trusted publisher, real risk — different axes.
Project files. A .env committed once, or sitting in a repo the agent has open.

The danger isn't only that a secret exists. It's the path: a secret an agent can read, plus an egress route, plus a prompt injection, is an exfiltration waiting for the right poisoned input. Dryx draws that path and marks it.

Free, in the first inspection: every secret your agents can reach, on Claude Code, Claude Desktop, Cursor, Codex CLI, Cline, GitHub Copilot, Windsurf, and Gemini — plus any MCP server. No paywall on the surface that gets people breached first.

Keep reading

Prompt injection in AI coding agents → Is this MCP server safe? → How the runtime authority works → ← Back to the Field Guide

Last updated: June 16, 2026 · Version 1.0

You just read how this surface goes wrong.

The next step is seeing it on your machine. Dryx inspects the AI agents you already run and draws the reach — secrets free, the full seven-surface map on Pro. On Pro with the direct download, your agent also gets a deterministic gate at the action boundary, where its harness supports the hook — defense-in-depth everywhere else. Your agent gets the answer; you don't get a dashboard to babysit.