The Problem
Every enterprise is rushing to deploy AI agents. MCP (Model Context Protocol) servers are connecting them to production databases, APIs, and internal tools. But there's a fundamental question nobody is asking:
How do you verify the agent calling your tool is who it claims to be?
Right now, you don't. There is no identity layer for AI agents. No trust verification. No accountability.
The numbers tell the story:
- 135,000+ exposed MCP servers (SecurityScorecard STRIKE)
- 36% of MCP servers vulnerable to prompt injection (Snyk ToxicSkills)
- CVE-2026-25253: tool poisoning attack, CVSS 8.8
What We Built
AgentSign is an open-source zero trust engine that gives every AI agent a cryptographic passport.
The Architecture
Agent Onboard → ECDSA P-256 Keypair
↓
7-Stage Pipeline: INTAKE → VETTING → TESTING → DEV_APPROVED → PROD_APPROVED → ACTIVE
↓
13-Point SDLC Security Scanner (OWASP Agentic Top 10 aligned)
↓
MCP Verification Gate ("The Gate") — identity + trust + stage checked
↓
Trust Score: 5-factor (code + exec_rate + success + history + stage)
The 13-Point SDLC Scanner
| # | Check | Severity | OWASP |
|---|---|---|---|
| 1 | Hardcoded API Keys | CRITICAL | ASI07 |
| 2 | eval()/exec() Usage | CRITICAL | ASI03 |
| 3 | Shell Injection (os.system) | CRITICAL | ASI03 |
| 4 | Prompt Injection Patterns | HIGH | ASI01 |
| 5 | Unsafe Deserialization | HIGH | ASI03 |
| 6 | SQL Injection Patterns | HIGH | ASI03 |
| 7 | Missing Error Handling | MEDIUM | ASI05 |
| 8 | Excessive Permissions | MEDIUM | ASI04 |
| 9 | No Rate Limiting | MEDIUM | ASI02 |
| 10 | Missing Input Validation | MEDIUM | ASI03 |
| 11 | Insecure HTTP Usage | LOW | ASI07 |
| 12 | Debug Mode Enabled | LOW | ASI10 |
| 13 | Missing Logging | LOW | ASI05 |
Covers 7 of 10 OWASP Agentic risks (ASI01, ASI02, ASI03, ASI04, ASI05, ASI07, ASI10).
MCP Verification Gate
The core innovation. When an agent requests access to an MCP server:
POST /api/mcp/verify
{
"agent_id": "agent-abc123",
"server_id": "mcp-finance-prod",
"signature": "ECDSA-P256-SHA256..."
}
# Response:
{
"allowed": true,
"checks": {
"identity": "VALID",
"trust_score": 82,
"pipeline_stage": "ACTIVE",
"trust_threshold_met": true
}
}
No identity? DENIED. Below trust threshold? DENIED. Not through the pipeline? DENIED.
Wild Agents Audit
We catalogued 10 popular AI agents from GitHub (55K+ stars combined). What we found:
- GPT-Engineer (55K stars):
use_docker=False— arbitrary code execution - FinRobot (6.3K stars): Hardcoded API tokens in source
- Multiple agents: No human oversight, unrestricted tool access, missing input validation
Trust Scoring
Five-factor scoring across 100 points:
| Factor | Weight | What It Measures |
|---|---|---|
| Code Attestation | 20 | Hash-verified, scanner passed |
| Exec Verification Rate | 20 | How often identity is checked |
| Success Rate | 20 | Task completion without errors |
| History Depth | 20 | Track record length |
| Pipeline Stage | 20 | How far through vetting |
Trust tiers: UNTRUSTED (0-19) → NEW (20-39) → PROVISIONAL (40-59) → VERIFIED (60-79) → TRUSTED (80+)
Quick Start
npm install agentsign-openclaw
import { AgentSign } from 'agentsign-openclaw';
const as = new AgentSign();
const passport = as.createPassport('my-agent');
const verified = as.verify(passport);
Links
- GitHub: github.com/razashariff/agentsign-openclaw
- Live API: agentsign-api.fly.dev
- Interactive Demo: Google Colab notebook
-
npm:
agentsign-openclaw - Patent: GB2604808.2 (filed March 2026)
Open source. Free forever. Don't trust your agent — verify it.
Top comments (0)