Security issue : /mcp shows env variable like OAI Key, PAT token , expecting it to hide those sensitive info.

### What version of Codex is running?

v0.48.0-alpha.3

### What subscription do you have?

enterpise

### Which model were you using?

gpt5-codex

### What platform is your computer?

linux

### What issue are you seeing?

```
  • task-master-ai
    • Status: enabled
    • Auth: Unsupported
    • Command: npx -y task-master-ai
    • Env: OPENAI_API_KEY=sk12343, OPENAI_BASE_URL=xxx
    • Tools: (none)
    • Resources: (none)
    • Resource templates: (none)```

it shows actual openAI key , I was expecting it to show ***** or something as if we running headless codex it can expose the API and other sensitive info like PAT token easily in trace 

### What steps can reproduce the bug?

1. have mcp setup with OAI key as env variable 
2. /mcp

### What is the expected behavior?

sensitive info should be masked out with **** 

### Additional information

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security issue : /mcp shows env variable like OAI Key, PAT token , expecting it to hide those sensitive info. #5524

What version of Codex is running?

What subscription do you have?

Which model were you using?

What platform is your computer?

What issue are you seeing?

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Security issue : /mcp shows env variable like OAI Key, PAT token , expecting it to hide those sensitive info. #5524

Description

What version of Codex is running?

What subscription do you have?

Which model were you using?

What platform is your computer?

What issue are you seeing?

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions