v0.2.0 · live
CAPFRAME
← leaderboard/rank #79
§ serversandboxfindings.v2

Playwright MCP

npm:@playwright/mcp@0.0.75

Score
D40
Findings
21
Tools
23
Last scan
2026-06-05

Severity breakdown

Critical2
High1
Medium18
Low0
Info0

Worst finding

Tool `browser_evaluate` exposes a code/command execution surface

· browser_evaluate

`browser_evaluate` looks like it executes code or shell commands (Evaluate JavaScript expression on page or element). Arbitrary execution is the maximal authority a tool can hold -- it subsumes every other caveat, so it should never be exposed to an agent without a hard sandbox and an explicit, narrowly-scoped capability.

fix: Do not expose raw code/shell execution to an agent. If unavoidable, run it in a disposable sandbox with no network + no host FS, gate it behind a capframe-bind capability scoped to an allow-list of commands, and require holder-of-key proof per call.

All 21 findings

  1. critical
    Tool `browser_evaluate` exposes a code/command execution surface· browser_evaluateexcessive agency

    `browser_evaluate` looks like it executes code or shell commands (Evaluate JavaScript expression on page or element). Arbitrary execution is the maximal authority a tool can hold -- it subsumes every other caveat, so it should never be exposed to an agent without a hard sandbox and an explicit, narrowly-scoped capability.

    fix: Do not expose raw code/shell execution to an agent. If unavoidable, run it in a disposable sandbox with no network + no host FS, gate it behind a capframe-bind capability scoped to an allow-list of commands, and require holder-of-key proof per call.

  2. critical
    Tool `browser_run_code_unsafe` exposes a code/command execution surface· browser_run_code_unsafeexcessive agency

    `browser_run_code_unsafe` looks like it executes code or shell commands (Run a Playwright code snippet. Unsafe: executes arbitrary JavaScript in the Playwright server process and is RCE-equivalent.). Arbitrary execution is the maximal authority a tool can hold -- it subsumes every other caveat, so it should never be exposed to an agent without a hard sandbox and an explicit, narrowly-scoped capability.

    fix: Do not expose raw code/shell execution to an agent. If unavoidable, run it in a disposable sandbox with no network + no host FS, gate it behind a capframe-bind capability scoped to an allow-list of commands, and require holder-of-key proof per call.

  3. high
    Tool `browser_drop` name implies a side effect that is not declared· browser_dropexcessive agency

    `browser_drop` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

  4. medium
    Tool `browser_console_messages` accepts unconstrained string input· browser_console_messagesunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `filename`, `level`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  5. medium
    Tool `browser_handle_dialog` accepts unconstrained string input· browser_handle_dialogunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `promptText`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  6. medium
    Tool `browser_evaluate` accepts unconstrained string input· browser_evaluateunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `element`, `filename`, `function`, `target`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  7. medium
    Tool `browser_drop` accepts unconstrained string input· browser_dropunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `element`, `target`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  8. medium
    Tool `browser_press_key` accepts unconstrained string input· browser_press_keyunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `key`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  9. medium
    Tool `browser_type` accepts unconstrained string input· browser_typeunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `element`, `target`, `text`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  10. medium
    Tool `browser_navigate` accepts unconstrained string input· browser_navigateunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `url`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  11. medium
    Tool `browser_network_requests` accepts unconstrained string input· browser_network_requestsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `filename`, `filter`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  12. medium
    Tool `browser_network_request` accepts unconstrained string input· browser_network_requestunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `filename`, `part`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  13. medium
    Tool `browser_run_code_unsafe` accepts unconstrained string input· browser_run_code_unsafeunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `code`, `filename`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  14. medium
    Tool `browser_take_screenshot` accepts unconstrained string input· browser_take_screenshotunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `element`, `filename`, `target`, `type`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  15. medium
    Tool `browser_snapshot` accepts unconstrained string input· browser_snapshotunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `filename`, `target`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  16. medium
    Tool `browser_click` accepts unconstrained string input· browser_clickunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `button`, `element`, `target`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  17. medium
    Tool `browser_drag` accepts unconstrained string input· browser_dragunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `endElement`, `endTarget`, `startElement`, `startTarget`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  18. medium
    Tool `browser_hover` accepts unconstrained string input· browser_hoverunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `element`, `target`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  19. medium
    Tool `browser_select_option` accepts unconstrained string input· browser_select_optionunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `element`, `target`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  20. medium
    Tool `browser_tabs` accepts unconstrained string input· browser_tabsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `action`, `url`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

  21. medium
    Tool `browser_wait_for` accepts unconstrained string input· browser_wait_forunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `text`, `textGone`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

How this was scored

Source sandbox live tools/list captured in an ephemeral Docker container (parameter schemas included → R1/R2/R4 fire). Findings are emitted by the public capframe.findings.v1 schema. Score = 100 − (10·Critical + 4·High + 2·Medium + 1·Low), clamped to [0, 100].

Disagree with a finding? Open an issue.