Agent/MCP Audit Sprint

Browser-control MCP slice

Browser Automation MCP Security Audit

A $1,000 fixed-price review for MCP servers and agent tools that can browse websites, scrape pages, click controls, submit forms, run JavaScript, download files, or bridge authenticated browser sessions.

Start an audit Read Browserbase sample Run local scanner Review terms
PriceUSD $1,000 fixed
TargetBrowser, crawler, scraping, web-agent MCP
RiskClicks, forms, sessions, downloads, untrusted pages
OutputTool boundary + injection test plan

Public sample

Browserbase MCP sample audit

The browser automation offer is backed by an independent public-code sample on browserbase/mcp-server-browserbase. The sample used a local clone, passed pnpm install, build, and tests, and did not use live Browserbase sessions, customer data, credentials, hosted MCP endpoints, or live websites.

Read Browserbase sample Use Code Scanning Compare sample reports
Medium: HTTP transport exposure matrix for local, remote, and hosted deployment modes
Medium: browser action launch-mode policy before click, type, observe, or extract tools
Low: operational log handling for URLs, session IDs, profile paths, and downloaded artifacts
Pass: pnpm install, build, and test suite completed on the sampled commit

Why this is hard to reason about

Browser tools move untrusted web content into agent decisions

Browser automation MCP servers often combine open-world page content with privileged local sessions. The audit focuses on what an agent can click, transmit, download, run, or leak after reading untrusted pages.

Read-only browse/scrape tools separated from click, type, submit, upload, download, and JavaScript execution
Prompt/tool injection tests for hostile pages, hidden text, page titles, forms, and downloaded files
Session boundary documentation for local browser profiles, cookies, credentials, and private tabs
URL/domain allowlists, localhost/private-network restrictions, file path controls, and payload size limits
Safe-mode behavior, confirmations, dry-run previews, and retry handling for non-idempotent actions
Secret redaction in screenshots, HTML snippets, logs, trace output, and agent-visible errors

Sprint path

48-hour target after scope and payment

  1. Open an intake with the repo, browser-tool docs, or sanitized automation slice.
  2. Public GitHub repo intakes receive an automated no-execution scanner triage comment.
  3. Scope is accepted around one browser automation MCP surface.
  4. Payment is confirmed before private review work starts.
Open intake Run local scan General MCP audit Ask before booking