AgentReadyHomeAgent Listing

← BrowserTools MCP

BrowserTools MCP — agentic threat model

9.1AIVSS 9.1 · Critical

BrowserTools MCP presents a high-risk local attack surface by bridging an LLM agent directly to a user's active browser session, console logs, and network traffic via a local Node server. Without explicit authorization controls, this setup is highly vulnerable to indirect prompt injection leading to sensitive data exfiltration.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.29Factor sum 2.3/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.60
Persistent Memory
0.10
Contextual Awareness
0.50
Dynamic Identity
0.20
Multi-Agent Interactions
0.10
Non-Determinism
0.20
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — BrowserTools MCP is model-agnostic and acts as an MCP server. The underlying model (e.g., in Cursor) is susceptible to prompt injection which could force the model to abuse these browser tools to exfiltrate sensitive session data.

L2 · Data Operations✓ mapped

The agent accesses live browser console logs, network requests, and screenshots. This introduces significant data exfiltration risks, as sensitive session tokens, API keys, or PII present in the browser memory or network traffic are streamed directly to the LLM.

L3 · Agent Frameworks✓ mapped

Integrates via the Model Context Protocol (MCP) as a toolset. Vulnerabilities in the host agent's tool-calling orchestration could allow an attacker to trigger unauthorized screenshot captures or network log dumps via indirect prompt injection.

L4 · Deployment & Infrastructure✓ mapped

Runs a local Node.js middleware server and a Chrome extension. If the local Node server lacks proper authentication or binding restrictions (e.g., listening on 0.0.0.0), it could allow local or remote attackers on the same network to access the browser's state.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No built-in guardrails, logging, or anomaly detection are mentioned. Monitoring relies entirely on the host agent (e.g., Cursor) or manual user oversight of the console.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — There is no mention of authentication, authorization, or access control policies governing which local processes or external agents can query the Node middleware or Chrome extension.

L7 · Agent Ecosystem✓ mapped

Designed to interface with MCP-compatible agents. A compromised or rogue agent in the ecosystem could abuse this tool to silently monitor the user's browsing activity, harvest credentials, or capture sensitive visual data.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).