[BUG] `claude mcp get` exposes environment variable secrets in plaintext

Resolved 💬 3 comments Opened Mar 3, 2026 by nitinsh06 Closed Mar 7, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

When running claude mcp get <server-name>, the CLI prints the full value of environment variables (including sensitive tokens) in plaintext. These should be masked.

What Should Happen?

The sensitive tokens like github PAT should be masked while displaying mcp info using claude mcp get <server-name>
Sensitive environment variable values should be masked, e.g. ghp_hpX***********

Error Messages/Logs

Steps to Reproduce

  1. Add an MCP server with a secret token: claude mcp add github -e GITHUB_PERSONAL_ACCESS_TOKEN=<token> -- npx -y @modelcontextprotocol/server-github
  2. Run claude mcp get github
  3. The full token value is printed in plaintext to the terminal

Claude Model

None

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.63 (Claude Code)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

iTerm2

Additional Information

Actual behavior:
The full secret value is displayed, e.g. GITHUB_PERSONAL_ACCESS_TOKEN=ghp_abc123...

Expected behavior:
Sensitive environment variable values should be masked, e.g. ghp_hpX***********

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗