Chrome DevTools MCP — agentic threat model
The Chrome DevTools MCP agent introduces high-risk exposure by allowing LLMs to control and inspect live browser sessions, creating a direct vector for DOM manipulation, data exfiltration, and session hijacking if compromised.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.70 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.40 | |
| Multi-Agent Interactions | 0.60 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — relies on external models like Claude or Cursor. The primary threat is model reprogramming or prompt injection via malicious DOM content read by the model, leading to unauthorized browser actions.
The agent reads live DOM, console, network, and performance data. This exposes sensitive session tokens, PII, and credentials present in the active browser tab to the model context, risking data exfiltration.
High risk of tool misuse. If the orchestrating framework (Claude/Cursor) is tricked, the DevTools MCP tools can be abused to execute arbitrary JavaScript, exfiltrate cookies, or silently navigate to malicious sites.
Not certain from the listing — depends on how the user hosts the MCP server locally. If the Chrome debugging port (typically 9222) is exposed to the local network or internet without authentication, it allows complete host compromise.
Not certain from the listing — there is no mention of built-in guardrails, logging, or monitoring of the DevTools commands executed by the agent, creating a significant audit blind spot.
Lacks explicit authorization controls. Any client connected to this MCP server inherits full access to the connected Chrome instance's capabilities without granular permission boundaries.
Designed to integrate with external tools like Claude and Cursor. A compromised or rogue agent in the ecosystem could leverage this MCP to gain direct control over the user's active web sessions.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).