Browser automation is one of the most useful abilities for AI agents.
It is also one of the easiest places to make a mess.
A browser tool can click, fill forms, run JavaScript, capture pages and move through real user flows. That power needs boundaries.
That is why I built a Puppeteer MCP server with safety controls in mind.
Repo:
https://github.com/tecnomanu/puppeteer-server
What it supports:
- real browser navigation
- screenshots
- element clicks
- form filling
- JavaScript evaluation
- console log capture
- configurable launch options
- domain allowlists
- rate limits
- timeouts
- audit logging
For agent workflows, I think the main question is not just can the agent browse?
The better question is: can it browse inside explicit limits?
A browser MCP server should make unsafe behavior harder by default.
Useful cases:
- QA checks
- scraping allowed pages
- internal admin workflows
- visual inspection
- automation prototypes
- agent-driven browser tasks
I am interested in feedback from people building MCP tools.
Which browser permissions should be default-off?
And what security controls should every browser automation MCP include?
Top comments (0)