I Audited My Own AI Agent Setup. Here’s What I Found.
Four attack vectors that most developers building with Claude Code, Cursor, and MCP servers don’t know they have open.

Last week, I sat down to audit my own AI agent setup. I have been building with Claude Code, MCP servers, and Cursor for over a year. I assumed I knew where the risks were.
I was wrong.
Within thirty minutes, I had a list of four attack vectors open on my own machine. Not theoretical. Not edge cases. Real ones — credentials my agent could read, tools with more access than I had granted, network paths I had stopped thinking about.
I put the full walkthrough on YouTube. Live demo, real configurations, exact fixes.
▶ Watch the full walkthrough →
If you build with AI agents, here is what to look for in your own setup before you watch.
1 — Your .env is probably in scope
Your .env The file holds your Anthropic key, your OpenAI key, and your GitHub token. Standard stuff.
The new problem: your AI agent can read it.
If your filesystem MCP is scoped to your home directory, that .env is in scope. Once a credential is in your agent's context, it travels to your model provider, to your tool servers, to any logging layer in between.
The video shows the exact config to fix this.
2 — Your MCP servers have more access than you remember
Filesystem MCP can read every file you own. Shell MCP can run every command you can run.
The agent does not need to be malicious. The agent needs one prompt-injected document, and your shell is theirs.
The video walks through how to audit every MCP server you have loaded.
3 — Your network layer matters more than you think
Every model call your agent makes is a network request. Every tool call is a network request. Home Wi-Fi, cafes, hotels, co-working desks — the network is part of your attack surface.
The video covers what I use and why.
4 — Your credentials may already be leaked
GitHub, npm, AWS, OpenAI, and Anthropic accounts are high-value targets. Breached data ends up on dark web markets. If your key was in a leaked dataset last month, you have a window to rotate it — but only if you know.
The video shows the tools I use to monitor this.
The fix is not fewer agents. The fix is fewer assumptions.
If your AI agent does real work, your agent has real access. Real access is real risk. Most developers do not feel this risk because the agent works and the code ships. Nothing going wrong yet is not the same as nothing being wrong.
The full breakdown — with live demos on Depwire, my open-source MCP server — is here:
Depwire is free and open source: github.com/depwire/depwire