Chrome DevTools MCP — agentic threat model
This agent possesses high-risk capabilities due to direct, programmatic control of a live web browser via Puppeteer and Chrome DevTools, enabling arbitrary network requests, DOM manipulation, and local system interaction. The lack of built-in sandboxing or human-in-the-loop constraints in the default plugin configuration presents a significant security surface.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.70 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.50 | |
| Multi-Agent Interactions | 0.30 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The plugin is model-agnostic and relies on external LLMs via the MCP protocol. The primary risk is indirect prompt injection where malicious web content parsed by the browser reprograms the underlying model to execute unauthorized Puppeteer commands.
Not certain from the listing — The agent processes live DOM trees, console logs, and network traces dynamically. There is a high risk of data exfiltration if the agent reads sensitive session tokens or PII from the browser state and transmits them to unauthorized endpoints.
The agent framework integrates highly sensitive tools (Puppeteer, DevTools API). Insecure tool integration or lack of strict input validation allows the model to execute arbitrary JavaScript, bypass same-origin policies, or navigate to malicious local/internal network resources.
Not certain from the listing — Driving a live Chrome instance requires robust sandboxing. If the browser or MCP server runs with host-level privileges, a container escape or remote code execution (RCE) via browser exploits is highly plausible.
Not certain from the listing — While the tool records performance traces and console messages for debugging, there is no mention of security-specific guardrails, logging of executed Puppeteer scripts, or anomaly detection for suspicious browser behavior.
Not certain from the listing — No authentication, authorization, or policy enforcement mechanisms are described. The agent operates with the permissions of the local user running the Chrome instance, lacking fine-grained access controls.
As an MCP server, this agent is designed to be called by other orchestrators or agents. This creates a risk of cascading failures or delegation abuse, where a compromised orchestrator leverages this agent to perform unauthorized web automation.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).