keyway-mcp
Verified Safeby keywaysh
Overview
Enables AI assistants to securely manage GitHub-native secrets in a Keyway vault without exposing sensitive values in conversation logs or directly to the AI model.
Installation
npx @keywaysh/mcpEnvironment Variables
- KEYWAY_API_URL
Security Notes
The server demonstrates excellent security practices. It uses strong encryption (AES-256-GCM) for stored authentication tokens, enforces strict file permissions (0600) for the encryption key, and validates HTTPS for API communication. Crucially, sensitive values are never exposed to the AI or logs; tools like `keyway_generate`, `keyway_scan`, and `keyway_diff` return masked previews, and `keyway_inject_run` meticulously redacts secrets from command output while preventing shell injection via `shell: false`. Input validation (using Zod) is robust across all tools. The explicit documentation regarding `keyway_set_secret` being the only tool where the AI supplies the raw value is a strong point of transparency. The only reason it's not a 10 is the inherent complexity of perfect output masking and false positive detection, though the implementation appears highly robust.
Similar Servers
git-mcp-server
A Model Context Protocol (MCP) server that provides Git-specific tools and resources for AI/LLM agents to interact with version control systems.
vault-mcp-server
Provides a Model Context Protocol (MCP) server implementation to integrate HashiCorp Vault secrets management and PKI operations with LLM clients.
mcp-safe-run
Securely launches Model Context Protocol (MCP) servers by dynamically resolving and injecting sensitive credentials (secrets) from various sources (environment, files, OS keychain) into the server's environment.
poly-git-mcp
Provides Model Context Protocol (MCP) tools for AI assistants to manage Git repositories, issues, pull requests, and CI/CD across GitHub, GitLab, Gitea, and Bitbucket platforms.