No secret material leaked in observed metadata
Authored by Stanley Hong · AgentReserve (founder).
No high-precision secret pattern (Bearer header, JWT, OpenAI/Anthropic key, GitHub PAT, AWS key, Stripe live key, PEM private key, etc.) appears in `initialize.instructions`, `serverInfo`, tool descriptions, or input schemas after the standard `redact()` pass.
When this rule runs
Requires a successful MCP `initialize` / `tools/list`. Skipped on perimeter-only scans where the server refused or failed the MCP handshake.
Why it matters
Operators sometimes paste real credentials into example payloads or instructions. Anything embedded in `initialize` or `tools/list` is mirrored in every public report — it must not contain live secrets.
Pass condition
No secret-shaped string is detected in the persisted probe surface.
Fail condition
At least one Bearer / JWT / provider-prefixed key matches the surface.
Evidence examples
When the rule fails, the report records evidence in roughly this shape:
{"hits": [{"pattern": "openai-key", "location": "tool.description", "toolName": "demo"}]}
Remediation
Remove any sample credentials from `instructions`, `serverInfo`, tool descriptions, and schemas. Rotate anything that has appeared.
Methodology
This rule belongs to the Endpoint hygiene dimension. Properties of the URL itself: whether the host is intended for public use, whether secrets appear in the URL, and other observable URL-level signals.
Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.