MCP-INDEX
[ โŒ˜K ]
BACK TO SEARCH
skuzu7/CSA-Obsidiancritical

๐ŸฆŠ Undetectable browser automation an LLM can drive โ€” Camoufox stealth + a 17-tool MCP server. Human-like behavior, session persistence, CLI & Python API.

This MCP server provides undetectable browser automation for LLMs, using Camoufox stealth and 17 tools to let AI agents navigate, click, type, and scr...

purpose: This MCP server provides undetectable browser autothreat: local with credentials
Python ยท โ˜… 1 ยท May 29, 2026 ยท โš™ May 30, 2026 ยท GITHUB โ†—
RISK SCORE
0/ 100 risk
high findings+125
medium findings+30
capped at100
VULNERABILITY ANALYSIS ยท 7 findings in 7 blocks5 HIGH ยท 2 MEDIUM
HIGH1 finding
mcp_server/server.py:91
91@mcp.tool()
92@_mcp_tool
93async def browser_open(url: str) -> dict:
94    """Navigate to a URL and return a snapshot of the page with all interactive elements."""
95    _, page, _ = await _ensure_browser()
96    await page.goto(url)
97    return await _auto_snapshot(page)
mcp_server/server.py:10โ†’stealth_browser/browser.py

// Local-with-credentials MCP; requires compromised LLM to exploit, but allows reading arbitrary local files.

EXPLAINThe browser_open tool accepts a URL string without any validation or restriction on the scheme. An attacker can use file:// URLs to read arbitrary local files from the server's filesystem. The snapshot tool will return the contents of the file as markdown, effectively exfiltrating file contents.
IMPACTAn attacker could read any file on the system that the browser process has access to, including configuration files, SSH keys, credentials, and other sensitive data.
FIXValidate the URL scheme and reject non-HTTP(S) URLs. Use a URL parser to ensure only http and https schemes are allowed.
HIGH1 finding
chrome_cookies.py:1
1def _get_aes_key() -> bytes:
2    import win32crypt
3    state = json.loads(LOCAL_STATE.read_text(encoding="utf-8"))
4    encrypted_key = base64.b64decode(state["os_crypt"]["encrypted_key"])
5    encrypted_key = encrypted_key[5:]
6    return win32crypt.CryptUnprotectData(encrypted_key, None, None, None, 0)[1]
7
8def _decrypt_value(encrypted: bytes, key: bytes) -> str:
9    ...
10    return AESGCM(key).decrypt(nonce, ciphertext, None).decode("utf-8", errors="replace")
11
12def extract(output: Path | None = None) -> list[dict]:
13    key = _get_aes_key()
14    ...
15    cookies.append({
16        "name": r["name"],
17        "value": value,
18        ...
19    })
20    dest.write_text(json.dumps(cookies, indent=2, ensure_ascii=False), encoding="utf-8")
chrome_cookies.pyโ†’import_chrome_cookies.py:5

// Local-with-credentials MCP; requires compromised LLM to exploit, but the script is present in the codebase and can be invoked.

EXPLAINThe chrome_cookies.py script extracts and decrypts all cookies from Chrome's encrypted cookie store, including session cookies for authenticated sessions. It writes them to a JSON file in plaintext. This script is imported and used by import_chrome_cookies.py, which is part of the MCP server's toolchain. An attacker who gains access to the filesystem or can invoke this script can steal all Chrome cookies, including those for sensitive sites like email, banking, and social media.
IMPACTAn attacker could steal all cookies from Chrome, allowing them to impersonate the user on any website where they have an active session, including email, banking, social media, and corporate applications.
FIXRemove or heavily restrict the chrome_cookies.py script. If cookie import is necessary, use a more secure method that does not write decrypted cookies to disk. Consider using Playwright's built-in cookie handling with proper encryption.
HIGH1 finding
mcp_server/server.py:218
218@mcp.tool()
219@_mcp_tool
220async def browser_evaluate(js: str) -> dict:
221    """Execute arbitrary JavaScript in the page context and return the result."""
222    _, page, _ = await _ensure_browser()
223    result = await evaluate(page, js)
224    return {"result": result}
mcp_server/server.py:14โ†’stealth_browser/page_ops.py

// Local-with-credentials MCP; requires compromised LLM to exploit, but the tool provides direct arbitrary code execution capability.

EXPLAINThe browser_evaluate tool accepts arbitrary JavaScript code as input and executes it in the browser page context without any sanitization or restriction. This allows an attacker (or compromised LLM) to run arbitrary JavaScript on any website the browser visits, bypassing same-origin policy and potentially accessing sensitive data, modifying page content, or performing actions on behalf of the user.
IMPACTAn attacker could execute arbitrary JavaScript in the context of any website visited by the browser. This could be used to steal cookies, session tokens, or other sensitive data; perform actions on authenticated sessions (e.g., transfer funds, change passwords); or exfiltrate data to attacker-controlled servers.
FIXRemove the browser_evaluate tool entirely, or restrict it to a whitelist of safe JavaScript functions. If execution is necessary, implement a sandbox or use a dedicated evaluation environment with no access to the page's DOM or network.
HIGH1 finding
mcp_server/server.py:227
227@mcp.tool()
228@_mcp_tool
229async def browser_save_session(name: str = "default") -> dict:
230    """Save current browser cookies to a named session file for later restoration."""
231    _, page, _ = await _ensure_browser()
232    cfg = BrowserConfig.from_env()
233    path = cfg.profile_dir.parent / name / "cookies.json"
234    path.parent.mkdir(parents=True, exist_ok=True)
235    await save_cookies(page, path)
236    return {"path": str(path)}
mcp_server/server.py:15โ†’stealth_browser/session.py

// Local-with-credentials MCP; requires compromised LLM to exploit, but allows writing files outside intended directory.

EXPLAINThe browser_save_session tool constructs a file path using the user-supplied 'name' parameter without sanitization. An attacker can use path traversal sequences (e.g., '../') to write cookies.json to arbitrary directories. While this writes a file, it can also be used to read files by overwriting symlinks or by using the returned path to infer file existence. More critically, the ability to write to arbitrary locations can lead to code execution if the written file is interpreted (e.g., Python import hooks).
IMPACTAn attacker could write a cookies.json file to arbitrary locations on the filesystem, potentially overwriting sensitive files or planting malicious files that get executed.
FIXSanitize the 'name' parameter to prevent path traversal. Use a whitelist of allowed characters and reject any input containing '..' or '/'.
HIGH1 finding
mcp_server/server.py:239
239@mcp.tool()
240@_mcp_tool
241async def browser_load_session(name: str = "default") -> dict:
242    """Load cookies from a previously saved named session into the current browser context."""
243    _, page, _ = await _ensure_browser()
244    cfg = BrowserConfig.from_env()
245    path = cfg.profile_dir.parent / name / "cookies.json"
246    await load_cookies(page, path)
247    return {"ok": True}
mcp_server/server.py:15โ†’stealth_browser/session.py

// Local-with-credentials MCP; requires compromised LLM to exploit, but allows reading arbitrary files.

EXPLAINThe browser_load_session tool constructs a file path using the user-supplied 'name' parameter without sanitization. An attacker can use path traversal sequences (e.g., '../') to read arbitrary JSON files from the filesystem. The load_cookies function will parse the file as JSON and add the cookies to the browser context, potentially leaking file contents through error messages or cookie values.
IMPACTAn attacker could read arbitrary JSON files from the filesystem, including configuration files, credentials, and other sensitive data.
FIXSanitize the 'name' parameter to prevent path traversal. Use a whitelist of allowed characters and reject any input containing '..' or '/'.
MEDIUM1 finding
mcp_server/server.py:91
91@mcp.tool()
92@_mcp_tool
93async def browser_open(url: str) -> dict:
94    """Navigate to a URL and return a snapshot..."""
95    _, page, _ = await _ensure_browser()
96    await page.goto(url)
97    return await _auto_snapshot(page)
mcp_server/server.py:10โ†’stealth_browser/browser.py

// Local-with-credentials MCP; requires compromised LLM to exploit, but allows SSRF to internal services.

EXPLAINThe browser_open tool accepts any URL without validation. An attacker can use it to access internal network services (SSRF), such as cloud metadata endpoints (e.g., http://169.254.169.254/), internal APIs, or other services that are not intended to be exposed. The snapshot tool will return the content of those pages.
IMPACTAn attacker could access internal network services, cloud metadata, and other resources that are not intended to be accessible from the browser, potentially leaking sensitive information or allowing further attacks.
FIXValidate the URL to only allow HTTP/HTTPS schemes and optionally restrict to a whitelist of allowed domains. Block access to private IP ranges and cloud metadata endpoints.
MEDIUM1 finding
mcp_server/server.py:89
89@mcp.tool()
90@_mcp_tool
91async def browser_open(url: str) -> dict:
92    """Navigate to a URL and return a snapshot..."""
93    _, page, _ = await _ensure_browser()
94    await page.goto(url)
95    return await _auto_snapshot(page)
96
97@mcp.tool()
98@_mcp_tool
99async def browser_evaluate(js: str) -> dict:
100    """Execute arbitrary JavaScript..."""
101    _, page, _ = await _ensure_browser()
102    result = await evaluate(page, js)
103    return {"result": result}
mcp_server/server.py

// Local-with-credentials MCP; requires compromised LLM to exploit, but the broad scope increases attack surface.

EXPLAINThe MCP server exposes 17 tools that provide full browser automation capabilities, including navigating to arbitrary URLs, executing JavaScript, managing cookies, and interacting with page elements. While the intended purpose is 'undetectable browser automation for LLMs', the scope is extremely broad and includes capabilities that could be abused for malicious purposes such as web scraping, credential theft, and unauthorized actions on behalf of the user. The combination of tools allows an attacker to perform any action a user could perform in a browser.
IMPACTAn attacker with control over the LLM could use the browser tools to visit any website, execute JavaScript, steal cookies, fill forms, and perform actions on authenticated sessions, effectively gaining full control over the user's web activities.
FIXRestrict the tools to a whitelist of allowed domains or actions. Implement per-tool authorization checks. Consider using a more limited set of tools that align with the intended use case (e.g., only allow navigation to specific sites).
โ—ท 5/30/2026
Findings are produced by automated LLM analysis and may include false positives or miss issues. Verify independently before acting.