Tracked packageView full profile for playwright-mcp-server →

MCPSafe.io

Security pre-install checks for MCP servers.

Use with caution. Address findings before production.

Compare to another server

npm · playwright-mcp-server1.0.0

Item: playwright-mcp-server
Rating: 3
Author: MCPSafe

Scanned 5/1/2026, 11:26:56 AM·Cached result·Fast Scan·45 rules·View source ↗·How we decide ↗

AIVSS Score

4.0/ 10

Medium

Severity Breakdown

critical

high

medium

low

MCP Server Information

Packageplaywright-mcp-server

Version1.0.0

SourceNPM

LicenseMIT

Publishersiadiur

Package age1y 0m

Stars—

Downloads/wk1.1K

Dependencies6

Findings

4 of 4 findings

high (1)

medium (3)

4 findings

high (1)

AIVSS 3.4CVSS 5.8

File mounts an HTTP route that handles MCP `tools/list` (Express / Fastify / FastAPI / Flask) but the route — and the router it sits behind — has no auth middleware applied. An anonymous client can enumerate every tool the server exposes, scope the attack surface, and (if `tools/call` shares the route) invoke them. Apply auth at the route or router level: Express `passport.authenticate(...)` / a `requireAuth`-style middleware, FastAPI `Depends(get_current_user)` or `Depends(verify_jwt)`, Flask

Evidence

import express, { Request, Response, RequestHandler } from 'express';
import { chromium, Page } from 'playwright';
import fs from 'fs';
import path from 'path';
import { OpenAI } from 'openai';
import { glob } from 'glob';
import { AuthManager } from './auth-manager.js';
import { CodeAnalyzer } from './code-analyzer.js';
import { TestStructureManager } from './test-structure-manager.js';
import {
  MCPMessage,
  MCPResponse,
  ListOfferingsResponse,
  AuthConfig,
  SiteContext
} from './types.js

Remediation

Apply auth middleware at the route or router level: - Express / Fastify / Koa: `passport.authenticate(...)`, `requireAuth`, `verifyToken`, or an equivalent JWT middleware applied via `router.use(authMw)` or as a per-route handler. - FastAPI: `Depends(get_current_user)`, `OAuth2PasswordBearer`, `HTTPBearer`, or `verify_jwt` dependency. - Flask: `@login_required`, `@auth_required`, `@jwt_required`, or call `verify_jwt_in_request()` in the handler. Mounting MCP behind a s

Report false positive →

medium (3)

AIVSS 4.0CVSS 5.5

Hardcoded secret detected in source. MCP servers often proxy between the model and a third-party API, so any committed credential grants that access to anyone who can read the repo. Move to an environment variable or secret manager and rotate the leaked value.

Evidence

#!/bin/bash

# Set the OpenAI API key
export OPENAI_API_KEY="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"

# Change to the script directory
cd "$(dirname "$0")"

Remediation

Rotate the leaked credential immediately, then replace the hardcoded value with os.environ / process.env lookup. For deployment, inject the value through your secret manager (AWS Secrets Manager, Doppler, Vault).

Report false positive →

AIVSS 2.8CVSS 3.5

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

Evidence

// MCP endpoint
const mcpHandler = async (req: Request, res: Response): Promise<void> => {
  try {
    console.log('Received MCP request');
    const { prompt, workspaceRoot } = req.body;
    
    console.log(`Prompt: ${prompt}`);

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Report false positive →

AIVSS 2.8CVSS 3.5

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

Evidence

console.log('Returning MCP to Cursor');
    res.json({ mcp });
  } catch (error) {
    console.error(`Error processing MCP request: ${error instanceof Error ? error.message : 'Unknown error'}`);
    res.status(500).json({ error: error instanceof Error ? error.message : 'Unknown error' });
  }
};

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Report false positive →

LLM summary— playwright-mcp-server:1.0.0

This package contains one high-severity issue along with three medium-severity vulnerabilities, including a hardcoded secret and two instances of ANSI escape injection that could allow output manipulation. The hardcoded credential poses an immediate risk if exposed, while the injection flaws could be exploited to alter displayed information or cause denial of service. With a safety score of 82/100 and AIVSS rating of 4.0/10, you should address these findings before deployment, particularly the hardcoded secret which should be rotated immediately if already used.

Signal scores

CVE check100

Static100

Publisher identity10

Permissions80

Supply chain100

Typosquat100

Package health75

Community82

Secrets & exfil92

Injection risks84

Destructive ops100

LLM judge panel

CVE check

No known CVEs found for this package or its dependencies.

Community trust

No community reports

Security policy: Not found
Advisories: 0

Scan details

Total findings: 4
Affected tools: 0 / 1
Scan type: Fast Scan
Rules run: 45
LLM consensus score: N/A
Scanned: 12d ago
Source: NPM

MCP Server Information

Source: NPM
Package: playwright-mcp-server
Version: 1.0.0
License: MIT
Publisher: siadiur
Verified: No
Added: 1y 0m ago
Versions: 1
Ecosystem: Node.js / npm
Downloads/wk: 1.1K
Dependencies: 6

AIVSS Score

4.0/ 10Medium

Internal score: 82/100

Severity breakdown

Scan Details

Total findings4

Affected tools0 / 1

Scanned12d ago

Scan modeFAST

SourceNPM

Scan IDpubfastef362357c41db0fafa20

Want deeper analysis?

Fast scan found 4 findings using rule-based analysis. Upgrade for LLM consensus across 5 judges, AI-generated remediation, and cross-file taint analysis.

View plans Scan another package

Building your own MCP server?

Run this exact engine on your private repo — before users see it on /scan.

Same rules, same LLM judges, same grade. Private scans stay isolated to your account and never appear in the public registry. Required for code your team hasn’t shipped yet.

See plans with Private scans How private scans stay private

4 of 4 findings

high (1)

medium (3)

4 findings

high (1)

AIVSS 3.4CVSS 5.8

Evidence

import express, { Request, Response, RequestHandler } from 'express';
import { chromium, Page } from 'playwright';
import fs from 'fs';
import path from 'path';
import { OpenAI } from 'openai';
import { glob } from 'glob';
import { AuthManager } from './auth-manager.js';
import { CodeAnalyzer } from './code-analyzer.js';
import { TestStructureManager } from './test-structure-manager.js';
import {
  MCPMessage,
  MCPResponse,
  ListOfferingsResponse,
  AuthConfig,
  SiteContext
} from './types.js

Remediation

Report false positive →

medium (3)

AIVSS 4.0CVSS 5.5

Evidence

#!/bin/bash

# Set the OpenAI API key
export OPENAI_API_KEY="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"

# Change to the script directory
cd "$(dirname "$0")"

Remediation

Report false positive →

AIVSS 2.8CVSS 3.5

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

Evidence

// MCP endpoint
const mcpHandler = async (req: Request, res: Response): Promise<void> => {
  try {
    console.log('Received MCP request');
    const { prompt, workspaceRoot } = req.body;
    
    console.log(`Prompt: ${prompt}`);

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Report false positive →

AIVSS 2.8CVSS 3.5

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

Evidence

console.log('Returning MCP to Cursor');
    res.json({ mcp });
  } catch (error) {
    console.error(`Error processing MCP request: ${error instanceof Error ? error.message : 'Unknown error'}`);
    res.status(500).json({ error: error instanceof Error ? error.message : 'Unknown error' });
  }
};

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Report false positive →

125	// MCP endpoint
126	const mcpHandler = async (req: Request, res: Response): Promise<void> => {
127	try {
128	console.log('Received MCP request');
129	const { prompt, workspaceRoot } = req.body;
130
131	console.log(`Prompt: ${prompt}`);

207	console.log('Returning MCP to Cursor');
208	res.json({ mcp });
209	} catch (error) {
210	console.error(`Error processing MCP request: ${error instanceof Error ? error.message : 'Unknown error'}`);
211	res.status(500).json({ error: error instanceof Error ? error.message : 'Unknown error' });
212	}
213	};

125	// MCP endpoint
126	const mcpHandler = async (req: Request, res: Response): Promise<void> => {
127	try {
128	console.log('Received MCP request');
129	const { prompt, workspaceRoot } = req.body;
130
131	console.log(`Prompt: ${prompt}`);

207	console.log('Returning MCP to Cursor');
208	res.json({ mcp });
209	} catch (error) {
210	console.error(`Error processing MCP request: ${error instanceof Error ? error.message : 'Unknown error'}`);
211	res.status(500).json({ error: error instanceof Error ? error.message : 'Unknown error' });
212	}
213	};

1	import express, { Request, Response, RequestHandler } from 'express';
2	import { chromium, Page } from 'playwright';
3	import fs from 'fs';
4	import path from 'path';
5	import { OpenAI } from 'openai';
6	import { glob } from 'glob';
7	import { AuthManager } from './auth-manager.js';
8	import { CodeAnalyzer } from './code-analyzer.js';
9	import { TestStructureManager } from './test-structure-manager.js';
10	import {
11	MCPMessage,
12	MCPResponse,
13	ListOfferingsResponse,
14	AuthConfig,
15	SiteContext
16	} from './types.js

1	#!/bin/bash
2
3	# Set the OpenAI API key
4	export OPENAI_API_KEY="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"
5
6	# Change to the script directory
7	cd "$(dirname "$0")"