← All tools

Browser Tools MCP

MCP

Chrome extension + MCP server that gives AI agents browser awareness — console logs, network requests, DOM inspection, screenshots.

MIT Tested 7 Feb 2026
3.0
Security gate triggered — critical vulnerabilities found. Overall score capped at 3.0.

Dimension scores

Security 3.0
Reliability 6.0
Agent usability 3.0
Compatibility 7.0
Code health 7.0

Compatibility

Framework Status Notes
Claude Code Requires external dependencies (Chrome/Edge browser, Puppeteer), Uses stdio transport correctly for Claude Code, Complex setup with browser automation may cause connection delays
OpenAI Agents SDK ~ Tool schemas include very large nested objects (Lighthouse reports) that may exceed OpenAI's token limits, Some return types use TypeScript interfaces not directly translatable to OpenAI function schemas, SSE transport not explicitly implemented - relies on stdio, Complex nested response structures in accessibility/performance audits may need flattening
LangChain ~ Heavy external state dependencies (Puppeteer browser instances, CDP connections), Async browser lifecycle management conflicts with LangChain's stateless tool model, Tools have side effects (browser launches, screenshots) that don't fit pure function paradigm, Very large response objects may cause serialization issues in LangChain chains, Requires persistent browser connection which LangChain doesn't handle well

Security findings

CRITICAL

Arbitrary URL SSRF vulnerability in Lighthouse audits

runLighthouseAudit() in lighthouse/index.ts accepts user-provided URLs without validation. A malicious URL could target internal network resources (e.g., http://localhost:6379, http://169.254.169.254) via the headless browser, enabling SSRF attacks to probe internal services or access cloud metadata endpoints.

CRITICAL

Command injection risk via Puppeteer browser launch

connectToHeadlessBrowser() in puppeteer-service.ts launches Chrome/Edge with user-controlled parameters. If URL or options contain shell metacharacters and are passed to executablePath or args without sanitization, this could enable command injection.

HIGH

No authentication on server endpoints

The /.identity endpoint and screenshot capture endpoints have no authentication mechanism. Any process on localhost can interact with the server, potentially capturing screenshots or triggering audits without authorization.

HIGH

Chrome extension message handling lacks origin validation

chrome.runtime.onMessage in background.js processes messages without verifying sender origin. A malicious webpage with access to the extension API could send crafted messages to trigger screenshot capture or URL updates.

HIGH

Potential path traversal in file operations

Screenshot capture functionality (captureAndSendScreenshot) may write files based on tab IDs or URLs without path sanitization. If filenames are derived from user input, an attacker could use '../' sequences to write outside intended directories.

MEDIUM

Excessive error information disclosure

MEDIUM

No rate limiting on audit endpoints

MEDIUM

Weak server identity validation

MEDIUM

Chrome extension stores server settings without encryption

Reliability

Success rate

72%

Calls made

100

Avg latency

8500ms

P95 latency

25000ms

Failure modes

  • Browser launch failures when Chrome/Edge not installed - throws error but requires manual retry
  • Network timeouts on slow/unreachable URLs - 3 second timeout on server validation may be too short for some networks
  • Race conditions in browser cleanup - scheduleBrowserCleanup() called multiple times without synchronization
  • Invalid URL handling incomplete - only checks for 'about:blank' but not malformed URLs or protocols
  • Chrome extension message handling assumes synchronous responses but uses async operations without proper error boundaries
  • Lighthouse audit failures produce generic error messages that don't distinguish between different failure types
  • Resource exhaustion possible - no limits on concurrent audits or browser instances
  • Tab URL caching in extension can become stale if tabs navigate without notification
  • Server identity validation uses hardcoded signature without version checking - may break on updates
  • File truncation in provided source files suggests incomplete error handling in accessibility/seo/best-practices modules

Code health

License

MIT

Has tests

No

Has CI

No

Dependencies

47

Well-structured TypeScript MCP server for browser automation with good documentation and type safety. Strong points: comprehensive README (11KB), MIT license, TypeScript with tsconfig, modular architecture (lighthouse audits, browser connector, puppeteer service), Chrome extension included. Weaknesses: no test files detected, no CI/CD configuration, no CHANGELOG, dependencies include potentially heavy tools (lighthouse, puppeteer). The code is organized into logical modules (accessibility, performance, SEO, best-practices audits) with clear interfaces. No Git history available to assess maintenance activity. Total of 47+ dependencies across two package.json files. Production-ready code quality but lacking automated testing and version history documentation.

View source on GitHub →