[BUG] `claude mcp get` exposes environment variable secrets in plaintext
Resolved 💬 3 comments Opened Mar 3, 2026 by nitinsh06 Closed Mar 7, 2026
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
When running claude mcp get <server-name>, the CLI prints the full value of environment variables (including sensitive tokens) in plaintext. These should be masked.
What Should Happen?
The sensitive tokens like github PAT should be masked while displaying mcp info using claude mcp get <server-name>
Sensitive environment variable values should be masked, e.g. ghp_hpX***********
Error Messages/Logs
Steps to Reproduce
- Add an MCP server with a secret token:
claude mcp add github -e GITHUB_PERSONAL_ACCESS_TOKEN=<token> -- npx -y @modelcontextprotocol/server-github - Run claude mcp get github
- The full token value is printed in plaintext to the terminal
Claude Model
None
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.63 (Claude Code)
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
iTerm2
Additional Information
Actual behavior:
The full secret value is displayed, e.g. GITHUB_PERSONAL_ACCESS_TOKEN=ghp_abc123...
Expected behavior:
Sensitive environment variable values should be masked, e.g. ghp_hpX***********
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗