@codeinklingon/browser-mcp — agentic threat model
The @codeinklingon/browser-mcp tool presents a high-risk profile due to its powerful headless browser capabilities (Puppeteer) and stealth features, which expose host systems to indirect prompt injection from untrusted web content and potential local infrastructure compromise.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.40 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.60 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The tool is an MCP server and does not specify its underlying foundation model. However, the model reasoning over the ARIA snapshots is vulnerable to indirect prompt injection embedded in web pages.
Not certain from the listing — No explicit RAG or vector store is mentioned, though the tool dynamically ingests and structures web page DOM/ARIA data for agent consumption, creating a transient data poisoning vector.
The tool provides direct Puppeteer browser automation. Key threats include tool misuse (arbitrary navigation, form submission), indirect prompt injection via untrusted web content, and the bypass of target site bot protections using stealth features.
The tool runs locally ('local-only operation'). While this limits external cloud exposure, it increases the risk of local host compromise, local file access (e.g., via file:// URLs), and SSRF if the Puppeteer instance is not strictly sandboxed.
Not certain from the listing — There is no mention of built-in logging, execution guardrails, or monitoring to detect malicious browser actions or anomalous navigation patterns.
Not certain from the listing — No authentication, authorization, or policy enforcement mechanisms are described. Security relies entirely on the client application hosting the MCP server.
Designed specifically for other agents to consume ('for agents to reason over'). This introduces ecosystem risks where a compromised orchestrator agent can abuse the browser tool to perform unauthorized web actions or exfiltrate data.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).