playwright-mcp
Microsoft's MCP server wrapping Playwright. Lets agents drive a real browser — navigate, click, fill forms, capture screenshots, scrape.
Best-in-class browser automation MCP. Use it when your agent must interact with a web UI that has no API.
What it does
Wraps Playwright as MCP tools so an agent can drive a real browser the way a human would.Open URLs, click, type, navigate, screenshot, scrape. Used heavily in browser-agent workflows where there is no underlying API.
When you actually need it
You usually do not. Try this order:
- Is there an API? Use it.
- Is there an RSS / sitemap / public data feed? Use it.
- Is the page static enough to fetch + parse? Use a fetch + cheerio MCP.
- Only then: reach for playwright-mcp.
When you need it, you really need it — there is no substitute for “drive a real browser” tasks. But it is the heaviest tool in the kit.
Setup
- Install Node + Playwright dependencies (one-time browser binaries download).
- Add to your MCP host config:
"playwright": { "command": "npx", "args": ["-y", "@playwright/mcp"] } - Restart your host.
My take
Pending Sush’s real usage notes.
Use it for narrow, well-scoped flows: scrape this dashboard, fill this form, capture this screenshot. Avoid letting the agent “explore the web freely” — that’s where browser agents go off the rails.
Combinations
cloudflare-mcp— to purge cache after publishingyoutube-mcp— for YouTube workflows where some metadata isn’t in the public APIfilesystem-mcp— to save screenshots and DOM snapshots locally
Used in recipes:
FOR: Browser automation tasks that have no API alternative.
Use when no API exists for the task. Always scope target URLs at the prompt level (allow-list, not deny-list); never run with credentials beyond what the task actually needs; assume any page content can be hostile and treat tool output as untrusted text.
Maintained by Microsoft Playwright team. Active project, regular releases tracking Playwright core.
Microsoft's typical default for OSS tooling.
PRs go through Microsoft's internal review. Active project under the Playwright org.
Server itself does not handle secrets. If your prompt asks the agent to enter passwords on a form, the credentials flow through Playwright into a real browser context — your responsibility to scope where that browser navigates.
Runs as subprocess of MCP host. The CHROMIUM browser process is itself sandboxed by Chromium; the MCP server isn't additionally containerised by default.
Writes screenshots and downloads to a configured directory (default: a per-session temp dir). Reads no host filesystem outside that scope unless the agent navigates to file:// URLs (which can be disabled via launch arg).
No shell tools exposed by the server itself.
By design — the agent can navigate to any URL. This is the most significant safety dimension. Treat the running browser as having full HTTP egress and lock down what URLs your agent is allowed to visit at the prompt level.
Server itself doesn't take OAuth tokens; any OAuth happens inside the controlled browser session.
Once attached, the agent can drive a real browser anywhere. There is no `read-only browse` mode by default — every navigation is a potential write (form submit, button click).
Pages the agent navigates to can contain hostile instructions in DOM text, alt attributes, hidden elements, or even ARIA labels. The accessibility-tree input the LLM sees is fully attacker-controllable when the page is hostile.
Direct deps are small (@modelcontextprotocol/sdk + playwright). Transitive surface includes Playwright itself, which depends on browser binaries downloaded at install time. Browser binaries are signed by Microsoft / Google / Mozilla.
No active CVEs in the published package at last scan.
Browser sessions are heavyweight (~500MB RAM each). Long-running agents that spawn many sessions hit memory pressure faster than rate limits.
npm package published under @playwright/mcp; provenance attestations available via npm. Browser binaries are downloaded by Playwright itself, not redistributed by this package.
Microsoft's standard responsible disclosure policy applies.
Playwright itself respects PLAYWRIGHT_DISABLE_TELEMETRY=1; the MCP server doesn't add additional telemetry.
Browser runs locally. Sites the agent visits send data to those sites' servers (their residency, not yours).
No persistent credential storage by the server. Browser context can persist cookies / session storage if you enable it via storageState.
6 present · human approval optional
clickfillpress_keynavigateselect_optionupload_file
NOT A FORMAL SECURITY AUDIT · Adoption posture based on public-source review · See methodology for what's measured and what isn't