Is Browserbase MCP server safe?
@browserbasehq/mcp is an AI npm_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 7 risky constructs are reported for review. It can: filesystem read, filesystem write, install time execution, mcp tools detected and network egress — capabilities are what the code can do, not a verdict on intent. Risk score 10/100 (low).
@browserbasehq/mcp 3.0.0
- MCP server launches a host command
- Node.js filesystem read
- Node.js filesystem write/delete
No malicious indicators found by static analysis.
Findings (7)
An MCP server entry launches a command on your host.
"command": "npx",
Why it matters: Trusting the manifest means running that binary — verify what it is and where it comes from.
Fix: Verify the launched command and its source before trusting this MCP server configuration.
A server is bound to all network interfaces (0.0.0.0), not just your own machine.
* @example "0.0.0.0" - Accepts connections from any interface (use with caution)
if (resolvedHost === "0.0.0.0" || resolvedHost === "[::]")
Why it matters: Without authentication, other hosts on the network can reach it.
Fix: Bind to 127.0.0.1 for local-only use, or require authentication and restrict access if remote exposure is intended.
The component reads files from disk.
const configContent = await fs.readFile(configPath, "utf-8");
const packageJSONBuffer = fs.readFileSync(packageJSONPath);
Why it matters: Usually legitimate, but worth confirming it can't be steered into reading sensitive files.
Fix: Confirm which files are read and that paths cannot be influenced by untrusted input to reach sensitive locations.
The component writes or deletes files on disk.
await fs.writeFile(wfPath, JSON.stringify(wfConfig, null, 2));
await Promise.all(workflowFiles.map((f) => fs.unlink(f)));
await fs.writeFile(
Why it matters: Usually legitimate, but worth confirming the paths can't be controlled by untrusted input.
Fix: Confirm which files are written/deleted and that paths cannot be influenced by untrusted input.
package.json has a 'prepare' script (runs on git/local installs and before publishing).
"prepare": "husky && pnpm build",
Why it matters: Usually a build step, but confirm it doesn't fetch or run remote code.
Fix: Usually a legitimate build step; confirm it only builds and does not fetch or execute remote code.
The component makes outbound network requests.
import http from "node:http";
Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.
Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.
An MCP tool surface (manifest or tool definitions) was found.
"mcpServers": {Why it matters: Just context — review which tools it offers and their permissions.
Fix: Review the declared MCP tools and their permissions.
Check your own component
Run the same evidence-backed scan on any MCP server, agent skill, or package.
Scan your own componentOr get notified if this component's risk changes:
How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →