n8n connects AI Agents to external tools via MCP. The tool definitions and tool call payloads flow without any integrity verification. A compromised MCP server can change a tool description between calls, inject instructions the LLM will follow, or modify parameters in transit.
This isn't theoretical. The postmark-mcp attack used tool definition tampering to BCC every email to an attacker. CVE-2025-6514 (CVSS 9.6) achieved full RCE through mcp-remote. The MCPTox benchmark shows a 72.8% tool poisoning success rate across 20 LLM agents.
I built an n8n community node based on MCPS (MCP Secure) -- an IETF Internet-Draft that adds a cryptographic signing layer to MCP. Same standards track as TLS and OAuth.
Install
npm install n8n-nodes-mcps
Restart n8n. The "MCPS Security" node appears in your node library.
What it does
Drop it into any workflow that uses MCP tools. Select "Full Security Wrap" for one-step protection:
Tool call signing -- every MCP tool call is signed with HMAC-SHA256 over a canonical representation of the tool name, arguments, a unique nonce, and a timestamp. If any parameter is modified in transit, verification fails.
Tool definition pinning -- the node hashes the tool schema on first contact. If the MCP server changes the tool definition between calls (rug pull), execution is blocked before the LLM ever sees the modified definition.
Replay protection -- each call carries a unique nonce. The same call can't be replayed within the TTL window (default 5 minutes).
Audit trail -- every operation emits a structured event with workflow ID, execution ID, timestamp, tool name, and operation type. Feed it into your SIEM or log aggregator.
Operations
| Operation | What it does |
|---|---|
| Full Security Wrap | Sign + pin + nonce + audit in one step |
| Sign Tool Call | Sign an outgoing tool call |
| Verify Tool Call | Verify an incoming signed call |
| Pin Tool Definition | Hash and store a tool definition |
| Verify Tool Definition | Check if a definition matches its pin |
Example: detecting a rug pull
- First workflow run: MCPS pins the tool definition (hash stored)
- Attacker modifies the tool description on the MCP server
- Second workflow run: MCPS detects the hash mismatch
- Output:
{ blocked: true, reason: "TOOL_DEFINITION_CHANGED", detail: "Possible rug pull attack (OWASP MCP-04)" }
The workflow stops before the tampered tool reaches the LLM.
What is MCPS?
MCPS (MCP Secure) is an IETF Internet-Draft that adds cryptographic identity and integrity to the Model Context Protocol. It covers 8 of the 10 OWASP MCP Top 10 risks. The n8n node implements the core signing and pinning primitives from the MCPS specification.
MCPS is also available as standalone packages for other frameworks:
-
pip install crewai-mcps(CrewAI) -
pip install langchain-mcps(LangChain) -
npm install mcp-secure(any Node.js project) - Managed proxy with Microsoft Defender + Azure Sentinel integration at MCPSaaS
Security properties
- HMAC-SHA256 signing (constant-time comparison to prevent timing attacks)
- Deterministic JSON serialization (key ordering doesn't affect signatures)
- Nonce uniqueness verified across 1000 generations
- Zero production dependencies (uses only Node.js built-in crypto)
- 41 tests covering signing, verification, tamper detection, pinning, rug pulls, replay, edge cases
- No external API calls, no data leaves your n8n instance
OWASP MCP Top 10 coverage
- MCP-01: Tool Poisoning -- tool definition pinning detects modified descriptions
- MCP-04: Tool Rug Pulls -- hash comparison blocks changed schemas
- MCP-08: Logging Gaps -- structured audit events for every operation
- MCP-10: Lack of Integrity -- per-message cryptographic signatures
Links
- Install:
npm install n8n-nodes-mcps - Source on GitHub
- npm
- MCPS IETF Internet-Draft
- MCPSaaS -- managed MCPS proxy
- OWASP MCP Top 10
- Contact: contact@agentsign.dev
Top comments (0)