BrowserTools MCP — agentic threat model
BrowserTools MCP presents a high-risk local attack surface by bridging an LLM agent directly to a user's active browser session, console logs, and network traffic via a local Node server. Without explicit authorization controls, this setup is highly vulnerable to indirect prompt injection leading to sensitive data exfiltration.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.60 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.50 | |
| Dynamic Identity | 0.20 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.20 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — BrowserTools MCP is model-agnostic and acts as an MCP server. The underlying model (e.g., in Cursor) is susceptible to prompt injection which could force the model to abuse these browser tools to exfiltrate sensitive session data.
The agent accesses live browser console logs, network requests, and screenshots. This introduces significant data exfiltration risks, as sensitive session tokens, API keys, or PII present in the browser memory or network traffic are streamed directly to the LLM.
Integrates via the Model Context Protocol (MCP) as a toolset. Vulnerabilities in the host agent's tool-calling orchestration could allow an attacker to trigger unauthorized screenshot captures or network log dumps via indirect prompt injection.
Runs a local Node.js middleware server and a Chrome extension. If the local Node server lacks proper authentication or binding restrictions (e.g., listening on 0.0.0.0), it could allow local or remote attackers on the same network to access the browser's state.
Not certain from the listing — No built-in guardrails, logging, or anomaly detection are mentioned. Monitoring relies entirely on the host agent (e.g., Cursor) or manual user oversight of the console.
Not certain from the listing — There is no mention of authentication, authorization, or access control policies governing which local processes or external agents can query the Node middleware or Chrome extension.
Designed to interface with MCP-compatible agents. A compromised or rogue agent in the ecosystem could abuse this tool to silently monitor the user's browsing activity, harvest credentials, or capture sensitive visual data.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).