registry  /  browserconnect  /  1.1.3

browserconnect@1.1.3

MCP server + Chrome extension — lets Claude see, read, and control your browser via a side panel

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs browserconnect, runs browserconnect --init, or installs/uses the bundled Chrome extension.
Impact
A configured agent can read page DOM, cookies/storage, console/network data, screenshots, execute page JavaScript, navigate, click, and type in the active tab.
Mechanism
Local MCP/browser-control bridge with explicit project setup
Rationale
Static source inspection shows an explicit BrowserConnect agent/browser bridge with powerful browser-control tools and user-invoked Claude/MCP setup, but no lifecycle-triggered foreign control-surface mutation or external exfiltration. Warn for dangerous capability rather than block as malware.
Evidence
package.jsonbin/browserconnect.jssrc/server.jssrc/mcp.jschrome-extension/manifest.jsonchrome-extension/panel.jschrome-extension/background.jsCLAUDE.md.mcp.json
Network endpoints3
127.0.0.1:2222/healthlocalhost:2222127.0.0.1:2222

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bin/browserconnect.js --init writes project .mcp.json and appends CLAUDE.md BrowserConnect instructions when explicitly invoked.
  • src/mcp.js exposes agent tools for page control, storage/cookie reads, DOM reads, screenshots, navigation, network and console capture.
  • chrome-extension/background.js executes MCP-requested JavaScript in the active tab MAIN world and can read storage/cookies.
  • chrome-extension/manifest.json requests <all_urls>, scripting, tabs, storage, and localhost:2222 permissions.
Evidence against
  • package.json has no install/preinstall/postinstall/prepare lifecycle scripts; only bin browserconnect is exposed.
  • Control-surface writes are behind user-run --init, not install-time/import-time mutation.
  • src/server.js binds to 127.0.0.1:2222 and uses extension-origin checks plus X-BC-Token for most endpoints.
  • No external exfiltration host, remote payload loading, persistence, destructive action, or credential harvesting outside browser tool features found.
  • bin/browserconnect.js child_process use is limited to killing a stale localhost listener after /health identifies browserconnect.
Behavioral surface
Source
ChildProcessCryptoFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 12 file(s), 184 KB of source, external domains: example.com

Source & flagged code

2 flagged · loading source
bin/browserconnect.jsView file
2L3: const { execSync } = require('child_process'); L4: const fs = require('fs');
High
Child Process

Package source references child process execution.

bin/browserconnect.jsView on unpkg · L2
137try { L138: const res = await fetch(`http://${HOST}:${PORT}/health`, { signal: AbortSignal.timeout(1000) }); L139: const body = await res.json(); ... L143: if (isBrowserConnect) { L144: process.stderr.write(`BrowserConnect: stale instance on port ${PORT} — restarting it...\n`); L145: try { L146: execSync(`lsof -ti TCP:${PORT} -sTCP:LISTEN | xargs kill -9 2>/dev/null || true`, { stdio: 'ignore' }); L147: } catch {}
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

bin/browserconnect.jsView on unpkg · L137

Findings

2 High1 Medium5 Low
HighChild Processbin/browserconnect.js
HighCommand Output Exfiltrationbin/browserconnect.js
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License