[Security] TLS verification disabled in MCPConnection + auth bypass in MCPOauth

[hhhashexe]

Found via SkillFence automated scan.

Finding 1: MCPConnection.ts — TLS verification disabled, allowing MITM attacks on MCP server connections.

Finding 2: MCPOauth.ts — Authentication disabled pattern detected.

Impact: MCP connections without TLS verification can be intercepted, potentially allowing tool poisoning attacks.

Recommendation:

• Enable TLS verification by default
• Require auth for all MCP connections
• Add certificate pinning for known MCP servers

Scan: npx skillfence scan . (Verdict: BLOCK, 82 critical, 64 high)

Responsible disclosure via automated security scanning.

[razashariff]

This is why we built MCPS (MCP Secure) — transport security isn't enough. MCPS adds application-level signing to every MCP message. Each tool call carries an ECDSA P-256 signature with nonce, timestamp, and agent passport_id bound into the signing payload. Verifiable end-to-end, not just hop-to-hop. Even if TLS is stripped, the message integrity holds. IETF Internet-Draft | github.com/razashariff/mcps