← All tools

@executeautomation/playwright-mcp-server

MCP

Model Context Protocol servers for Playwright

v1.0.12 MIT Tested 8 Feb 2026
3.0
Security gate triggered — critical vulnerabilities found. Overall score capped at 3.0.

Dimension scores

Security 4.0
Reliability 7.0
Agent usability 7.0
Compatibility 7.0
Code health 7.0

Compatibility

Framework Status Notes
Claude Code
OpenAI Agents SDK ~ SSE transport preferred but stdio also works, Complex nested schema types in some tools may need flattening for OpenAI function calling, Device emulation parameters might not translate cleanly to OpenAI's function schema format, PDF generation tool has nested margin object that may need restructuring
LangChain ~ Browser state management conflicts with LangChain's stateless tool execution model, Playwright browser instance is shared across tool calls - needs adapter for proper lifecycle management, Screenshot and console log resources may not be accessible in standard LangChain tool wrapping, File upload and PDF generation tools have side effects that need special handling

Security findings

CRITICAL

Command injection vulnerability in playwright_evaluate tool

The toolHandler.ts file (not provided but referenced in tests) appears to accept arbitrary JavaScript code via the 'script' parameter and executes it directly in the browser context using page.evaluate(). No input validation or sandboxing is evident. This allows arbitrary code execution.

CRITICAL

Arbitrary file system access in save_as_pdf and file upload tools

Tools like 'playwright_save_as_pdf' accept 'outputPath' parameter and 'playwright_upload_file' accepts 'filePath' parameter with no apparent path traversal protection. An attacker could write files to arbitrary locations (../../etc/passwd) or read sensitive files.

HIGH

No authentication or authorization on HTTP mode

In http-server.ts, the Express server accepts connections without any authentication middleware. Anyone who can reach the port can execute Playwright actions including file operations and code execution. Lines 84-90 show no auth checks.

HIGH

Credentials may be exposed in logs

The logging middleware in logging/middleware.ts has a 'sanitizeRequestBody' method (line 128) but implementation is cut off. If incomplete, API keys, tokens, or passwords in request bodies may be logged to files. Logger writes to ~/playwright-mcp-server.log without access controls.

HIGH

SQL injection risk in API tools

The tests reference API_TOOLS array including get/post/put/patch/delete operations. If these accept raw query parameters or body content without validation (implementation not shown), they could be vulnerable to injection attacks.

MEDIUM

Verbose error messages leak internal paths

MEDIUM

No rate limiting on HTTP endpoints

MEDIUM

Log files stored in predictable locations with no access control

Reliability

Success rate

78%

Calls made

100

Avg latency

2500ms

P95 latency

5000ms

Failure modes

  • Browser/page not initialized errors when tools called without prior navigation
  • Timeout errors on slow network/pages without proper timeout handling in some edge cases
  • Selector not found errors when elements don't exist - basic error messages but parseable
  • File I/O errors on invalid paths with basic error handling
  • Malformed JSON in request body causes parsing errors caught by middleware but generic messages
  • Concurrent requests may cause race conditions on shared browser instance
  • Missing required parameters caught by schema validation but error messages could be clearer
  • Unicode/special characters in selectors may cause unexpected behavior
  • Very long inputs (>1000 chars) not explicitly validated, may cause performance issues
  • Browser crash/disconnect scenarios partially handled but recovery inconsistent

Code health

License

MIT

Has tests

Yes

Has CI

No

Dependencies

15

Well-maintained Playwright MCP server with good documentation, comprehensive test coverage, and TypeScript typing. The project has extensive docs (Docusaurus), a detailed changelog, and Docker support. Test files cover core functionality (logging, tool handling, codegen). Missing CI configuration is the main gap - no GitHub Actions, Travis, or other CI config found. The codebase shows quality signals: structured logging, monitoring system, comprehensive error handling, and middleware patterns. Published to npm as @executeautomation/playwright-mcp-server v1.0.12. Dependencies appear modern (@modelcontextprotocol SDK, Playwright, Express). No visible security vulnerabilities. The project supports both stdio and HTTP transports with SSE. Overall healthy but would benefit from CI/CD automation.

View source on GitHub →