Had one of those “oh shit” moments yesterday when I realized how easy it would be to accidentally pass credentials to an MCP server. You’re debugging, you paste some code with an API key, and boom - it’s potentially exposed to whatever server you’re connected to.

So I built a simple security hook that plugs into Claude Code’s event system. Every time I’m about to call an MCP server, my script does a quick scan of the outgoing data looking for anything that smells like a credential - API keys, tokens, connection strings, you name it. If it finds something suspicious, it blocks the call and yells at me.

It’s not perfect, but it’s already saved me twice this week. Sometimes the best security is just a simple script that says “hey, are you sure about that?” before you do something stupid.

The paranoid developer in me sleeps a little better knowing there’s at least one more layer between my secrets and the internet.

You can get the code here: https://github.com/rikdc/claude_code_template