Gives Claude tools to find hardcoded secrets in your codebase, verify they're actually live by calling the provider API, and rewrite them in place to pull from environment variables. Exposes scan_repository, classify_candidates, verify_finding, and propose_rewrite over MCP. The agent can check its own work before committing, catching real AWS keys or Stripe tokens while ignoring documented examples and placeholders. Verification happens locally against 15+ providers including GitHub, Anthropic, OpenAI, and Datadog. Useful when you want an agent writing code but don't want to manually audit every diff for leaked credentials.
claude mcp add --transport stdio leakferrethq-leakferret uvx leakferret