Cryptographic identity, message signing, and trust verification for the Model Context Protocol.
MCP is HTTP. MCPS is HTTPS.
npm install mcp-secure
Copied!
pip install mcp-secure
Copied!
No identity. No message signing. No tool integrity. No revocation. Real CVEs exist today.
Any agent can connect to any MCP server. No way to verify who is calling. No passports, no certificates, no trust.
JSON-RPC messages travel unsigned. Man-in-the-middle attacks can modify tool calls, inject parameters, or replay requests.
Tool definitions can be tampered with after registration. Tool poisoning and rug pulls are trivial. 82% of MCP servers have path traversal vulnerabilities.
Compromised agents cannot be revoked. No mechanism to blacklist bad actors. No audit trail. Enterprise calls MCP a "non-starter."
A cryptographic security layer that sits on top of MCP. Like TLS for HTTP.
ECDSA P-256 signed identity credentials. Every agent gets a cryptographic passport that proves who they are.
Every JSON-RPC message wrapped in a signed envelope. Nonce + timestamp prevents replay attacks.
Signed tool definitions prevent poisoning and rug pulls. Detect tampering before execution.
Revoke compromised agents instantly via Trust Authority. Blacklist bad actors across the network.
From unsigned (L0) to audited (L4). Enforce minimum trust levels per server. Progressive trust.
Run your own Trust Authority. All verification stays local. Nothing phones home. Full enterprise control.
Drop-in SDK. Available for Node.js and Python.
const mcps = require('mcp-secure'); // Generate keys + passport const keys = mcps.generateKeyPair(); const passport = mcps.createPassport({ name: 'my-agent', version: '1.0.0', publicKey: keys.publicKey, }); // Trust Authority signs the passport const signed = mcps.signPassport(passport, taPrivateKey); // Sign any MCP message const envelope = mcps.signMessage(mcpMessage, passport.passport_id, keys.privateKey); // Verify on the receiving end const result = mcps.verifyMessage(envelope, keys.publicKey); // { valid: true }
from mcp_secure import generate_key_pair, create_passport, sign_passport from mcp_secure import sign_message, verify_message # Generate keys + passport keys = generate_key_pair() passport = create_passport( name="my-agent", version="1.0.0", public_key=keys["public_key"], ) # Trust Authority signs the passport signed = sign_passport(passport, ta_private_key) # Sign any MCP message envelope = sign_message(mcp_message, passport["passport_id"], keys["private_key"]) # Verify on the receiving end result = verify_message(envelope, keys["public_key"]) # {"valid": True}
Progressive trust. Enforce minimum levels per server.
| Level | Name | Meaning | Requirements |
|---|---|---|---|
| 0 | Unsigned | Plain MCP, no MCPS | None |
| 1 | Identified | Passport presented | Valid passport with public key |
| 2 | Verified | Passport verified + not revoked | Trust Authority confirmation |
| 3 | Scanned | Verified + passed security scan | OWASP agentic AI scan |
| 4 | Audited | Scanned + manual audit | Trust Authority manual review |
MCPS mitigates 8 of 10 OWASP MCP security risks.
OWASP Agentic AI Top 10 security assessment. Point-in-time static analysis. March 2026.
| Agent | Category | Stars | Verdict | Risk | Key Findings |
|---|---|---|---|---|---|
| Open Interpreter | Code Agent | 57K+ | FAIL | 80 | exec(), os.system(), child_process, no sandbox |
| OpenHands | Code Agent | 69K+ | FAIL | 70 | subprocess, exec, shell commands, file write |
| AutoGPT | Autonomous | 182K+ | FAIL | 65 | exec(), os.system(), no sandbox |
| Goose | Code Agent | 32K+ | FAIL | 65 | Shell exec core, pkg install, no sandbox |
| Devika | Code Agent | 19K+ | FAIL | 65 | exec(), subprocess, browser automation |
| Browser Use | Browser Agent | 80K+ | FAIL | 60 | Arbitrary browser control, JS injection |
| BabyAGI | Autonomous | 20K+ | FAIL | 55 | exec(), eval(), supply chain |
| GPT Engineer | Code Agent | 53K+ | FAIL | 55 | exec(), subprocess, supply chain |
| AgentGPT | Autonomous | 32K+ | FAIL | 55 | eval(), no sandbox, supply chain |
| MetaGPT | Multi-Agent | 48K+ | FAIL | 50 | subprocess shell=True, no sandbox |
| ChatDev | Multi-Agent | 27K+ | FAIL | 50 | exec(), subprocess |
| SuperAGI | Autonomous | 15K+ | FAIL | 50 | subprocess shell=True, excessive agency |
| CAMEL | Multi-Agent | 6K+ | FAIL | 40 | eval(), supply chain |
| n8n | Workflow | 178K+ | WARN | 26 | Code execution nodes, shell commands, spawn() |
| LangChain | Framework | 100K+ | WARN | 26 | Supply chain, prompt injection vectors |
| SWE-agent | Code Agent | 18K+ | WARN | 26 | Docker exec, subprocess, shell commands |
| CrewAI | Multi-Agent | 45K+ | WARN | 23 | Supply chain, excessive permissions |
| Microsoft AutoGen | Multi-Agent | 50K+ | WARN | 23 | Code execution patterns, supply chain |
| TaskWeaver | Code Agent | 5K+ | WARN | 23 | Eval patterns, no sandbox |
| Langflow | Agent Builder | 145K+ | WARN | 23 | Inherits LangChain exec patterns |
| Aider | Code Agent | 41K+ | WARN | 23 | subprocess for git/tests, shell execution |
| Dify | Agent Platform | 132K+ | WARN | 21 | Sandboxed code exec, tool calling |
| Crawl4AI | Web Agent | 61K+ | WARN | 21 | Playwright subprocess, arbitrary URL fetch |
| Semantic Kernel | Framework | 23K+ | WARN | 18 | Supply chain, output handling |
| Smolagents | Framework | 15K+ | WARN | 18 | Code execution, supply chain |
| Composio | Agent Tooling | 27K+ | WARN | 18 | Sandboxed exec, shell tools |
| Letta | Stateful Agent | 21K+ | WARN | 18 | Tool execution, subprocess |
| OpenAI Agents SDK | Framework | 19K+ | WARN | 11 | Supply chain, excessive agency config |
| Haystack | Framework | 18K+ | WARN | 11 | Supply chain, output handling |
| Swarm | Multi-Agent | 18K+ | WARN | 11 | Excessive agency, supply chain |
| LlamaIndex | Framework | 38K+ | PASS | 3 | Minor supply chain note |
| Google ADK | Framework | 15K+ | PASS | 3 | Minor supply chain note |
| Amazon Bedrock Agents | Cloud Agent | -- | PASS | 3 | Minor supply chain note |
| Vercel AI SDK | SDK | 12K+ | PASS | 0 | No issues detected |
| Anthropic Claude SDK | SDK | 8K+ | PASS | 0 | No issues detected |
| Phidata | Framework | 18K+ | PASS | 0 | No issues detected |
| Instructor | SDK | 9K+ | PASS | 0 | No issues detected |
| Mastra | Framework | 10K+ | PASS | 0 | No issues detected |
| AgentSign SDK | Identity SDK | OSS | PASS | 0 | No issues detected |
Point-in-time static analysis. Not a certification. Scanned March 2026 by AgentSign.
JSON Schema. Example flows. Everything you need to implement MCPS in any language.
All keys stay local. All verification stays internal. Nothing phones home.
$ docker run -p 8080:8080 agentsign/server # Your own Trust Authority. # Your own keys. # Nothing phones home.
Powered by AgentSign -- Zero Trust Engine for AI Agents
Zero dependencies. Node.js + Python. MIT licensed.