Sample audit report
This independent public-code sample is based on commit 1e196b3d3c4dc70944e0d19038dd9eb3608b207a. It is not a commissioned review or private vulnerability disclosure, and no Browserbase sessions, customer data, credentials, hosted MCP endpoints, or live websites were used.
Out of scope: Browserbase production infrastructure, hosted MCP service behavior, live Browserbase account authorization, external website interaction, customer data, and unpublished branches.
The repo has a clean, focused MCP surface: six tools match the hosted Browserbase MCP server, inputs use Zod schemas, tests assert tool names and schema behavior, and the self-hosted server supports both stdio and Streamable HTTP.
The highest-value review work is around launch and operator boundaries. Browser automation MCP servers sit at a sensitive boundary: an agent can navigate authenticated sessions, act on web pages, observe actionable elements, and extract page data.
| Area | Evidence | Risk Notes |
|---|---|---|
| Transport | src/transport.ts, README.md, src/config.ts | STDIO and HTTP/SHTTP are supported. HTTP binds to the configured host; docs describe localhost default and 0.0.0.0. |
| MCP tool surface | src/index.ts, src/tools/index.ts | Six tools are registered: start, end, navigate, act, observe, and extract. |
| Browser sessions | src/sessionManager.ts, src/tools/session.ts | Session creation uses Browserbase and Stagehand; context IDs and persistence are configurable. |
| Browser actions | src/tools/navigate.ts, src/tools/act.ts, src/tools/observe.ts, src/tools/extract.ts | Tools navigate URLs, perform page actions, observe elements, and extract page data. |
| Credentials | src/config.ts, src/sessionManager.ts, README.md | Browserbase, project, Gemini/Google, and custom model keys are loaded from env/CLI/config. |
| Tests and CI | src/config.test.ts, src/tools/__tests__/tools.test.ts, tests/smoke.test.ts, .github/workflows/ci.yml | Unit and smoke tests exist and passed locally. CI also runs secret-backed evals. |
Evidence: README.md documents SHTTP and --host; src/config.ts exposes server.host; src/transport.ts starts an HTTP server and creates Streamable HTTP sessions.
Recommended fix: add a transport exposure matrix covering hosted MCP, stdio self-hosted, local HTTP, Docker, reverse proxy deployment, host binding, external auth expectations, and credential sharing assumptions.
Evidence: navigate opens URLs, act performs natural-language page actions, observe returns actionable elements, and extract returns page data.
Recommended fix: document risk modes for anonymous browsing, authenticated browsing, persistent context, and verified identity; add examples for deployments that want observe/extract without unrestricted act.
Evidence: Context.run logs tool names and serialized args; SessionManager logs session lifecycle events, Browserbase session IDs, and live debugger URLs.
Recommended fix: add log-sensitivity guidance, redact URL query strings and session IDs in structured logs, and test provider error formatting.
Evidence: CI runs install, lint, format, build, tests, then pnpm evals with Browserbase/model provider secrets.
Recommended fix: split public CI from secret-backed evals or skip evals when required secrets are absent, then publish the minimum local validation command set.
configSchema requires modelApiKey when a non-default model is configured.corepack pnpm install --frozen-lockfile
corepack pnpm build
BROWSERBASE_API_KEY=test-key BROWSERBASE_PROJECT_ID=test-project corepack pnpm test
node tools/agent-mcp-audit.mjs /path/to/mcp-server-browserbase --sarif > agent-mcp-audit.sarifThe paid sprint would go deeper than this public sample: focused tests against the repo's actual CI shape, a deployment-mode threat table, log-redaction checks, recommended wrapper policy for browser actions, issue-ready remediation text, and a concise launch handoff for owners.