fizzgig__env_auditor
checks your .env file for credible secrets behind public prefixes.
the AI exposes the admin key to the browser because the file already had NEXT_PUBLIC_ vars and it followed the pattern. you find out via a stripe email two weeks later.
6 structural checks: NEXT_PUBLIC_ / VITE_ / EXPO_PUBLIC_ vars carrying high-entropy server-only secrets (deterministic suppression for known publishable formats), duplicate keys (later wins, earlier silently lost), framework-prefix drift (NEXT_PUBLIC_ alongside VITE_), whitespace around =, unmatched quotes, empty values. Pass is_example=true and .env.example files are treated as documented placeholders.
catch the leaked-admin-key bug before the AI ships it. the .env file is a known attack surface — keep it clean.
caught a policy that would have leaked every user's comments. shipped a fix in 4 minutes.
first tool i installed. it's the one that pays for itself.
works great. one false positive on a join table — easy to ignore.
{
"fizzgig": {
"url": "https://mcp.fizzgig.ai",
"tools": ["env_auditor"]
}
}