v0.2.0 · live
CAPFRAME
← leaderboard/rank #69
§ serversandboxfindings.v2

Browserbase MCP

npm:@browserbasehq/mcp-server-browserbase@2.4.3

Score
C72
Findings
9
Tools
9
Last scan
2026-06-05

Severity breakdown

Critical1
High1
Medium7
Low0
Info0

Worst finding

Tool `browserbase_stagehand_agent` exposes a code/command execution surface

· browserbase_stagehand_agent

`browserbase_stagehand_agent` looks like it executes code or shell commands (Execute a task autonomously using Gemini Computer Use agent. The agent will navigate and interact with web pages to complete the given task.). Arbitrary execution is the maximal authority a tool can hold -- it subsumes every other caveat, so it should never be exposed to an agent without a hard sandbox and an explicit, narrowly-scoped capability.

fix: Do not expose raw code/shell execution to an agent. If unavoidable, run it in a disposable sandbox with no network + no host FS, gate it behind a capframe-bind capability scoped to an allow-list of commands, and require holder-of-key proof per call.

All 9 findings

  1. critical
    Tool `browserbase_stagehand_agent` exposes a code/command execution surface· browserbase_stagehand_agentexcessive agency

    `browserbase_stagehand_agent` looks like it executes code or shell commands (Execute a task autonomously using Gemini Computer Use agent. The agent will navigate and interact with web pages to complete the given task.). Arbitrary execution is the maximal authority a tool can hold -- it subsumes every other caveat, so it should never be exposed to an agent without a hard sandbox and an explicit, narrowly-scoped capability.

    fix: Do not expose raw code/shell execution to an agent. If unavoidable, run it in a disposable sandbox with no network + no host FS, gate it behind a capframe-bind capability scoped to an allow-list of commands, and require holder-of-key proof per call.

  2. high
    Tool `browserbase_session_create` name implies a side effect that is not declared· browserbase_session_createexcessive agency

    `browserbase_session_create` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  3. medium
    Tool `browserbase_session_create` accepts unconstrained string input· browserbase_session_createunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `sessionId`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  4. medium
    Tool `browserbase_stagehand_navigate` accepts unconstrained string input· browserbase_stagehand_navigateunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `url`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  5. medium
    Tool `browserbase_stagehand_act` accepts unconstrained string input· browserbase_stagehand_actunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `action`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  6. medium
    Tool `browserbase_stagehand_extract` accepts unconstrained string input· browserbase_stagehand_extractunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `instruction`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  7. medium
    Tool `browserbase_stagehand_observe` accepts unconstrained string input· browserbase_stagehand_observeunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `instruction`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  8. medium
    Tool `browserbase_screenshot` accepts unconstrained string input· browserbase_screenshotunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `name`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  9. medium
    Tool `browserbase_stagehand_agent` accepts unconstrained string input· browserbase_stagehand_agentunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `prompt`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

How this was scored

Source sandbox live tools/list captured in an ephemeral Docker container (parameter schemas included → R1/R2/R4 fire). Findings are emitted by the public capframe.findings.v1 schema. Score = 100 − (10·Critical + 4·High + 2·Medium + 1·Low), clamped to [0, 100].

Disagree with a finding? Open an issue.