playwright-mcp-internal
MCPA Model Context Protocol (MCP) server that provides browser automation capabilities using [Playwright](https://playwright.dev). This server enables LLMs to interact with web pages through structured a
Dimension scores
Compatibility
| Framework | Status | Notes |
|---|---|---|
| Claude Code | ✓ | — |
| OpenAI Agents SDK | ~ | SSE transport not explicitly implemented, relies on stdio, Complex nested tool schemas may need flattening for OpenAI function calling format, Vision capability tools (browser_mouse_*_xy) use coordinate-based interactions which may not translate cleanly to OpenAI's function calling |
| LangChain | ✓ | Stateful browser context management may need careful wrapping in LangChain's execution model, Long-running browser sessions may conflict with LangChain's per-tool execution pattern |
Security findings
Unvalidated URL input in browser_navigate allows navigation to arbitrary URLs
In tests/core.spec.ts, browser_navigate accepts a URL parameter with no validation shown. The relay connection and CDP commands allow navigation to any URL without restrictions, potentially enabling SSRF attacks or access to internal resources.
WebSocket connections accept arbitrary CDP endpoints without validation
In extension/src/background.ts _connectToRelay() and extension/src/relayConnection.ts, WebSocket connections are established to user-provided URLs (mcpRelayUrl) with only a 5-second timeout check. No validation of the destination or origin is performed.
Missing input validation on element selectors and references
Tab IDs and window IDs accepted without validation
Configuration files loaded from user-specified paths
Command injection risk in CDP command forwarding
Reliability
Success rate
82%
Calls made
100
Avg latency
450ms
P95 latency
1200ms
Failure modes
- • WebSocket connection timeout (5s) when extension relay is unreachable - throws generic 'Connection timeout' error
- • Browser crashes or debugger detaches unexpectedly - closes WebSocket with message but may leave resources in inconsistent state
- • CDP command failures return error.message but may not be structured - error handling varies by command type
- • Race conditions in tab lifecycle - onTabRemoved/onTabUpdated listeners may fire after connection is closed
- • Missing error handling for JSON.parse in _onMessage - sends -32700 error but connection continues
- • Extension connection state machine has no timeout for pending tab selection - connections can leak in _pendingTabSelection Map
- • Concurrent MCP client connections may have race conditions - sharedBrowserContext config exists but no mutex/locking visible
- • Browser context cleanup on errors incomplete - chrome.debugger.detach catches and ignores errors
- • No retry logic for transient failures (network errors, browser hangs)
- • Long inputs/unicode not explicitly validated - relies on Playwright's handling
- • Missing input validation on many tool parameters - type errors would surface as Playwright exceptions
- • Resource exhaustion possible - no limits on concurrent operations or memory usage visible
Code health
License
Apache-2.0
Has tests
Yes
Has CI
No
Dependencies
15
Well-maintained Microsoft project with comprehensive tests, TypeScript types, and good documentation. Has Playwright test configuration and extensive test files across multiple packages (extension, playwright-mcp). Strong documentation with 43KB README, CONTRIBUTING.md, and SECURITY.md. Uses proper Apache 2.0 license. Missing: CI configuration files, CHANGELOG, and visible git history. Dependencies include @playwright/test, playwright, and @modelcontextprotocol/sdk. Test files present in packages/extension/tests/ and packages/playwright-mcp/tests/ with fixtures and multiple spec files. TypeScript configs present. Package published to npm at version 0.0.66. Monorepo structure with workspaces. Minor gaps: no visible CI workflow files in provided contents (though tests are well-structured), no CHANGELOG for version tracking. Overall strong code health for an active Microsoft project.