browsermcp/mcp — agentic threat model
This agent presents an exceptionally high risk profile because it operates directly within the user's active, authenticated Chrome browser session, inheriting all active logins and cookies. A compromise of this agent or its orchestrator allows immediate, unmitigated access to the user's personal and corporate web accounts.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.70 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.90 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The agent relies on external LLMs via the Model Context Protocol (MCP). The primary L1 threat is prompt injection or adversarial page content that hijacks the model's instructions to execute malicious browser actions (e.g., transferring funds or exfiltrating data).
The agent reads active page content and DOM structures to execute its tasks. The primary threat is data poisoning or indirect prompt injection from untrusted web pages, which can manipulate the agent's behavior or lead to the exfiltration of sensitive session data.
The agent framework exposes powerful browser control tools (click, type, navigate, read). Insecure tool integration or lack of strict input sanitization on these tools could allow an attacker to bypass intended boundaries and execute arbitrary actions in the browser.
The agent runs locally ('local-first, no cloud') as an MCP server paired with a Chrome extension. While this avoids cloud-hosting risks, it exposes the local host if the MCP port is unsecured, potentially allowing local privilege escalation or unauthorized local browser control.
Not certain from the listing — There is no mention of built-in logging, audit trails, or guardrails to monitor what the agent is clicking or typing, creating a significant blind spot for detecting unauthorized or malicious browser actions.
The agent reuses existing logins and cookies to act as the user, bypassing traditional authentication boundaries. There is a severe lack of explicit authorization controls or policy enforcement to restrict which domains the agent can interact with.
As an MCP server, this agent is designed to be called by other orchestrators or agents. This introduces a high risk of cascading failures or agent-to-agent trust abuse, where a compromised upstream agent exploits this tool to hijack the user's browser.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).