Stop AI coding agents from leaking API keys. Local proxy swaps real secrets for phm_ tokens.
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"io-github-ashlrai-phantom-secrets-mcp": {
"args": [
"-y",
"phantom-secrets"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
Delegate everything to AI. Without sharing a single key.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y 'phantom-secrets' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked phantom-secrets against OSV.dev.
Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in other
Pi Coding Agent extension (CLI-first) — routes bash/read/grep/find/ls through lean-ctx CLI for strong token savings. Optional MCP bridge can register advanced tools.
Autonomous spec-to-product coding-agent CLI with an MCP server exposing 34 tools over stdio.
97% token reduction for AI coding sessions — zero deps, 21 languages, MCP server
App framework, testing framework, and inspector for MCP Apps.
MCP Security Weekly
Get CVE alerts and security updates for io.github.ashlrai/phantom-secrets-mcp and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
Delegate everything to AI. Without sharing a single key.
Phantom hands every AI tool a worthless phm_ token. The local proxy injects the real key at the network layer. Full access. Zero exposure.
Quick start · Why Phantom? · MCP setup · Docs · phm.dev
▶ Watch the 45-second demo · 🛡 Security model · 📋 Threat model · 💬 Discussions
AI coding agents read your .env files. Once a real API key enters an LLM's context window, it leaks — via prompt injection, session logs, malicious MCP servers, or training data. GitGuardian reports AI-assisted commits leak secrets at 2× the baseline rate.
Every other secrets manager protects keys at rest and in transit. Phantom protects them in context:
.env contains only phm_ tokens; the proxy swaps them at the network edge.npx phantom-secrets init and you're protected. No accounts, no DNS, no MITM cert dance..env.Used by developers who don't want to choose between delegating to AI and not pasting their Stripe key into a chat window.
$ npx phantom-secrets init
# Auto-detects .env, .env.local, or .env in subdirectories
# Stores real secrets in OS keychain, rewrites .env with phantom tokens
# Auto-configures Claude Code MCP server if detected
$ phantom agent doctor
# One human-readable readiness check for AI-agent safety
$ phantom exec -- claude
# Authenticated proxy running on 127.0.0.1:54321
# AI sees phantom tokens; proxy injects real keys
The same commands work on Windows. npx phantom-secrets init installs via npm as on macOS/Linux.
After phantom start --daemon, the CLI detects your shell and prints the matching env-var syntax. For reference:
PowerShell:
$env:OPENAI_BASE_URL = "http://127.0.0.1:PORT/openai/_phantom/TOKEN/"
$env:PHANTOM_PROXY_PORT = "PORT"
$env:PHANTOM_PROXY_TOKEN = "TOKEN"
cmd.exe:
set OPENAI_BASE_URL=http://127.0.0.1:PORT/openai/_phantom/TOKEN/
set PHANTOM_PROXY_PORT=PORT
set PHANTOM_PROXY_TOKEN=TOKEN
Git Bash / WSL: use the export X=Y syntax from the main quick-start.
Notes:
PHANTOM_PROXY_TOKEN is the proxy session authenticator. By default, phantom exec and phantom start include it in local *_BASE_URL values as /_phantom/TOKEN/ so unmodified SDKs work. Header-aware clients can set PHANTOM_PROXY_HEADER_AUTH_ONLY=1 and send `x-phantom-proxy-token