AgentReadyHomeAgent Listing

← MCP SSE Playwright (Automata Labs)

MCP SSE Playwright (Automata Labs) — agentic threat model

9.5AIVSS 9.5 · Critical

The MCP SSE Playwright server presents an extremely high-risk profile due to its ability to execute arbitrary JavaScript and drive browser actions within the user's active sessions. Without strict sandboxing, network controls, or human-in-the-loop guardrails, it is highly susceptible to prompt injection leading to session hijacking and SSRF.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.67Factor sum 5.1/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.40
Self-Modification
0.10
Dynamic Tool Use
0.90
Persistent Memory
0.20
Contextual Awareness
0.60
Dynamic Identity
0.70
Multi-Agent Interactions
0.20
Non-Determinism
0.70
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The MCP server itself does not bundle a specific foundation model, but any connected LLM is vulnerable to prompt injection which could force the model to execute malicious JavaScript or navigate to malicious sites.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — No dedicated vector database or RAG pipeline is described, but the tool can exfiltrate sensitive session data, cookies, or page content back to the LLM or external endpoints.

L3 · Agent Frameworks✓ mapped

The tool integration is highly insecure by design, allowing arbitrary JavaScript execution and form filling, which can be abused via prompt injection to perform unauthorized actions (CSRF) using the user's active sessions.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting environment of the Playwright instance is not specified, but without strict network sandboxing, the browser could be used to scan internal networks (SSRF) or access local metadata services.

L5 · Evaluation & Observability✓ mapped

While the tool supports capturing screenshots which aids observability, there are no built-in guardrails or logging mechanisms mentioned to detect or block malicious browser actions or unauthorized JS execution.

L6 · Security & Compliance (cross-cutting)✓ mapped

No authentication, authorization, or policy enforcement controls are mentioned. The server operates with the privileges of the host user, inheriting their active browser sessions and credentials without access controls.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — There is no explicit multi-agent orchestration, but if integrated into an ecosystem, a compromised agent could leverage this tool to pivot and compromise other web-based services.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).