BROWSER

playwright-mcp

Microsoft's MCP server wrapping Playwright. Lets agents drive a real browser — navigate, click, fill forms, capture screenshots, scrape.

Alive Recommended REVIEWED 2026-05-06
VERDICT

Best-in-class browser automation MCP. Use it when your agent must interact with a web UI that has no API.

What it does

Wraps Playwright as MCP tools so an agent can drive a real browser the way a human would.Open URLs, click, type, navigate, screenshot, scrape. Used heavily in browser-agent workflows where there is no underlying API.

When you actually need it

You usually do not. Try this order:

  1. Is there an API? Use it.
  2. Is there an RSS / sitemap / public data feed? Use it.
  3. Is the page static enough to fetch + parse? Use a fetch + cheerio MCP.
  4. Only then: reach for playwright-mcp.

When you need it, you really need it — there is no substitute for “drive a real browser” tasks. But it is the heaviest tool in the kit.

Setup

  1. Install Node + Playwright dependencies (one-time browser binaries download).
  2. Add to your MCP host config:
    "playwright": {
      "command": "npx",
      "args": ["-y", "@playwright/mcp"]
    }
  3. Restart your host.

My take

Pending Sush’s real usage notes.

Use it for narrow, well-scoped flows: scrape this dashboard, fill this form, capture this screenshot. Avoid letting the agent “explore the web freely” — that’s where browser agents go off the rails.

Combinations

  • cloudflare-mcp — to purge cache after publishing
  • youtube-mcp — for YouTube workflows where some metadata isn’t in the public API
  • filesystem-mcp — to save screenshots and DOM snapshots locally

Used in recipes:

▸ MCP SECURITY SCORECARD Methodology v1.0 · Confidence HIGH · Reviewed 2026-05-07 · Next review due 2026-08-07
METHODOLOGY ↗
ADOPT WITH LIMITS

FOR: Browser automation tasks that have no API alternative.

Use when no API exists for the task. Always scope target URLs at the prompt level (allow-list, not deny-list); never run with credentials beyond what the task actually needs; assume any page content can be hostile and treat tool output as untrusted text.

Maintainer corp

Maintained by Microsoft Playwright team. Active project, regular releases tracking Playwright core.

Licence Apache-2.0

Microsoft's typical default for OSS tooling.

Code review yes

PRs go through Microsoft's internal review. Active project under the Playwright org.

Secrets handling scoped

Server itself does not handle secrets. If your prompt asks the agent to enter passwords on a form, the credentials flow through Playwright into a real browser context — your responsibility to scope where that browser navigates.

Sandbox process

Runs as subprocess of MCP host. The CHROMIUM browser process is itself sandboxed by Chromium; the MCP server isn't additionally containerised by default.

Filesystem access scoped

Writes screenshots and downloads to a configured directory (default: a per-session temp dir). Reads no host filesystem outside that scope unless the agent navigates to file:// URLs (which can be disabled via launch arg).

Shell access no

No shell tools exposed by the server itself.

Network egress open

By design — the agent can navigate to any URL. This is the most significant safety dimension. Treat the running browser as having full HTTP egress and lock down what URLs your agent is allowed to visit at the prompt level.

OAuth handling n/a

Server itself doesn't take OAuth tokens; any OAuth happens inside the controlled browser session.

Default permissions broad

Once attached, the agent can drive a real browser anywhere. There is no `read-only browse` mode by default — every navigation is a potential write (form submit, button click).

Prompt-injection exposure high

Pages the agent navigates to can contain hostile instructions in DOM text, alt attributes, hidden elements, or even ARIA labels. The accessibility-tree input the LLM sees is fully attacker-controllable when the page is hostile.

Supply chain surface medium

Direct deps are small (@modelcontextprotocol/sdk + playwright). Transitive surface includes Playwright itself, which depends on browser binaries downloaded at install time. Browser binaries are signed by Microsoft / Google / Mozilla.

Dep CVE surface clean

No active CVEs in the published package at last scan.

Rate-limit risk medium

Browser sessions are heavyweight (~500MB RAM each). Long-running agents that spawn many sessions hit memory pressure faster than rate limits.

Signed releases partial

npm package published under @playwright/mcp; provenance attestations available via npm. Browser binaries are downloaded by Playwright itself, not redistributed by this package.

Security policy yes

Microsoft's standard responsible disclosure policy applies.

Telemetry opt-in

Playwright itself respects PLAYWRIGHT_DISABLE_TELEMETRY=1; the MCP server doesn't add additional telemetry.

Data residency local

Browser runs locally. Sites the agent visits send data to those sites' servers (their residency, not yours).

Credential storage memory

No persistent credential storage by the server. Browser context can persist cookies / session storage if you enable it via storageState.

DESTRUCTIVE TOOLS

6 present · human approval optional

  • click
  • fill
  • press_key
  • navigate
  • select_option
  • upload_file

NOT A FORMAL SECURITY AUDIT · Adoption posture based on public-source review · See methodology for what's measured and what isn't