AgentReadyHomeAgent Listing

← Browserbase MCP Server

Browserbase MCP Server — agentic threat model

9.0AIVSS 9.0 · Critical

The Browserbase MCP Server presents a high agentic risk profile due to its ability to execute arbitrary web automation and form submissions, exposing it to indirect prompt injection via untrusted web content and potential API key exposure.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.94Factor sum 5.7/10Threat ×1.1Mitigation ×0.95
Autonomy of Action
0.80
Goal-Driven Planning
0.70
Self-Modification
0.10
Dynamic Tool Use
0.90
Persistent Memory
0.20
Contextual Awareness
0.70
Dynamic Identity
0.40
Multi-Agent Interactions
0.50
Non-Determinism
0.80
Opacity & Reflexivity
0.60

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Uses Gemini or other external LLMs to drive browser actions. Highly vulnerable to indirect prompt injection where malicious web page content hijacks the LLM's instructions to perform unauthorized actions.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — no explicit vector store or RAG pipeline is detailed, but structured data extraction from untrusted web pages could introduce poisoned or malicious payloads into downstream systems.

L3 · Agent Frameworks✓ mapped

Utilizes the Stagehand framework and Model Context Protocol (MCP). Risks include tool misuse where the agent is manipulated into executing unintended browser actions, navigating to malicious sites, or submitting sensitive forms.

L4 · Deployment & Infrastructure✓ mapped

Relies on cloud-hosted browser sessions via Browserbase. Requires secure handling of Browserbase and LLM provider API keys; compromise of these credentials allows unauthorized cloud browser orchestration.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — no explicit evaluation, logging, or guardrail mechanisms are described for monitoring the live browser sessions or detecting anomalous navigation paths.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — lacks details on access control, authentication, or compliance frameworks beyond basic API key management for Browserbase and Gemini.

L7 · Agent Ecosystem✓ mapped

Operates as an MCP server designed to interface with other LLM clients. Vulnerable to agent-to-agent trust abuse if a compromised or malicious orchestrator agent commands this server to perform harmful web actions.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).