v0.2.0 · live
CAPFRAME
← leaderboard/rank #67
§ serversandboxfindings.v2

server-puppeteer

npm:@modelcontextprotocol/server-puppeteer@2025.5.12

Score
C76
Findings
8
Tools
7
Last scan
2026-06-05

Severity breakdown

Critical1
High0
Medium7
Low0
Info0

Worst finding

Tool `puppeteer_evaluate` exposes a code/command execution surface

· puppeteer_evaluate

`puppeteer_evaluate` looks like it executes code or shell commands (Execute JavaScript in the browser console). Arbitrary execution is the maximal authority a tool can hold -- it subsumes every other caveat, so it should never be exposed to an agent without a hard sandbox and an explicit, narrowly-scoped capability.

fix: Do not expose raw code/shell execution to an agent. If unavoidable, run it in a disposable sandbox with no network + no host FS, gate it behind a capframe-bind capability scoped to an allow-list of commands, and require holder-of-key proof per call.

All 8 findings

  1. critical
    Tool `puppeteer_evaluate` exposes a code/command execution surface· puppeteer_evaluateexcessive agency

    `puppeteer_evaluate` looks like it executes code or shell commands (Execute JavaScript in the browser console). Arbitrary execution is the maximal authority a tool can hold -- it subsumes every other caveat, so it should never be exposed to an agent without a hard sandbox and an explicit, narrowly-scoped capability.

    fix: Do not expose raw code/shell execution to an agent. If unavoidable, run it in a disposable sandbox with no network + no host FS, gate it behind a capframe-bind capability scoped to an allow-list of commands, and require holder-of-key proof per call.

  2. medium
    Tool `puppeteer_navigate` accepts unconstrained string input· puppeteer_navigateunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `url`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  3. medium
    Tool `puppeteer_screenshot` accepts unconstrained string input· puppeteer_screenshotunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `name`, `selector`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  4. medium
    Tool `puppeteer_click` accepts unconstrained string input· puppeteer_clickunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `selector`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  5. medium
    Tool `puppeteer_fill` accepts unconstrained string input· puppeteer_fillunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `selector`, `value`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  6. medium
    Tool `puppeteer_select` accepts unconstrained string input· puppeteer_selectunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `selector`, `value`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  7. medium
    Tool `puppeteer_hover` accepts unconstrained string input· puppeteer_hoverunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `selector`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  8. medium
    Tool `puppeteer_evaluate` accepts unconstrained string input· puppeteer_evaluateunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `script`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

How this was scored

Source sandbox live tools/list captured in an ephemeral Docker container (parameter schemas included → R1/R2/R4 fire). Findings are emitted by the public capframe.findings.v1 schema. Score = 100 − (10·Critical + 4·High + 2·Medium + 1·Low), clamped to [0, 100].

Disagree with a finding? Open an issue.