registry  /  real-browser-mcp-server  /  2.0.0

real-browser-mcp-server@2.0.0

MCP Server for Real Browser - Patchright (undetected Playwright fork) with Stealth Mode, Ad Blocker, and Turnstile Auto-Solver for undetectable web automation.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User starts the CLI and invokes MCP browser or network tools.
Impact
A connected AI client can use active browser session cookies and bypass CORS for caller-supplied targets.
Mechanism
Stealth browser automation with Turnstile clicking and browser-context request replay.
Rationale
No concrete malicious chain is present, but the exposed MCP features are a dangerous dual-use browser capability. Per firewall policy, this warrants a warning rather than a block.
Evidence
package.jsondist/src/shared/lib-core.jsdist/src/mcp/handlers/network.jsdist/src/shared/tools.jslib/esm/module/turnstile.mjsdist/src/index.jsdist/src/mcp/server.jsdist/src/mcp/handlers/browser.js.cache/browser_state.json.cache/activity_log.json

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/src/shared/lib-core.js` launches Patchright with `--disable-blink-features=AutomationControlled` and no-sandbox flags.
  • `lib/esm/module/turnstile.mjs` detects Cloudflare challenges and clicks candidate Turnstile controls.
  • `dist/src/mcp/handlers/network.js` replays caller-supplied requests in the browser context and returns response bodies.
  • `dist/src/shared/tools.js` exposes request replay with attached browser cookies and CORS bypass.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time lifecycle hook.
  • `dist/src/index.js` starts the MCP server only when its CLI entrypoint is invoked.
  • No source writes AI-agent configuration; writes are cache/log files or caller-specified output paths.
  • No fixed exfiltration endpoint, credential harvesting, remote payload loader, or destructive action was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
Manifest
WildcardDependency
scanned 35 file(s), 295 KB of source, external domains: api.example.com

Source & flagged code

1 flagged · loading source
dist/src/shared/lib-core.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/src/shared/lib-core.js` launches Patchright with `--disable-blink-features=AutomationControlled` and no-sandbox flags.

dist/src/shared/lib-core.jsView on unpkg

Findings

5 Medium7 Low
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
MediumAi Review Evidencedist/src/shared/lib-core.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings