opzyai
Checks for committed [.env](/mcp/servers/integrations/dotenv) files or missing gitignore entries for .env.
Scans git history for secrets that were committed and later removed.
Detects hardcoded GitHub tokens and credentials.
Detects hardcoded OpenAI API keys in the source code.
Detects hardcoded Stripe API keys (excluding public keys like pk_*).
Detects hardcoded Supabase service-role keys (excluding anon keys).
Opzyai MCP — local security check for AI coding agents
Source for @opzyai/mcp — an
MCP server that scans the project in your workspace for
the mistakes that ship secrets and vulnerabilities to production, entirely on your
machine. Ask your agent "is this safe to ship?" and get a Launch Readiness score with
a fix for every finding.
Built by Opzyai — security for apps built with AI tools like Cursor, Lovable, v0 and Bolt.
Install
# Claude Code
claude mcp add opzyai -- npx -y @opzyai/mcp// Cursor / generic MCP client
{
"mcpServers": {
"opzyai": { "command": "npx", "args": ["-y", "@opzyai/mcp"] }
}
}Related MCP server: supership-scan
What it checks
One tool — security_check({ path?, offline? }) — runs four detectors:
Detector | Catches |
Working-tree secrets | API keys/tokens hardcoded in source (OpenAI, Anthropic, Stripe, Supabase service-role, AWS, GitHub, …) |
| env files committed or not gitignored |
Git-history secrets | credentials committed once and "removed" — still recoverable from history |
Dependency CVEs | known-vulnerable packages via OSV ( |
Detection is precision-first: an explicit allowlist keeps intentionally-public values
(Stripe pk_*, Supabase anon keys) from ever being flagged.
Privacy
Everything runs locally over stdio. The only network call is the OSV dependency check —
package names + versions only, never your code — and offline: true disables even
that.
Repository layout
This is the public source mirror of the local scanner; it is developed inside the private Opzyai monorepo and synced here on each release, byte-identical.
packages/
mcp-local/ @opzyai/mcp — the MCP server published to npm
detectors/ @appsec/detectors — shared secret-detection patterns + allowlist
core/ @appsec/core — trimmed shim (shared types only; the full package is server-side)Develop
pnpm install
pnpm typecheck && pnpm test # vitest, all packages
pnpm build # tsup → packages/mcp-local/dist/cli.jsRequires Node >= 20 and git on PATH (for the git-history detector's tests).
Related
Free URL scan (no account): paste your deployed URL at opzyai.com/scan — passive check for leaked client-bundle keys, exposed
.env/.git/source maps, missing headers.Hosted Pro MCP: deep scans of repos you own (dependency CVEs, SAST, git-history secrets) plus
propose_fix— the exact change for your agent to apply: opzyai.com/mcp.
License
MIT © Opzyai
This server cannot be installed
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/thfothijn/opzyai-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server