mcp-playwright-ts

The server exposes direct browser automation actions (navigate, click, type) via the `/api/execute` endpoint. If this server is exposed to untrusted external users, it presents significant risks: - **Server-Side Request Forgery (SSRF) / Open Redirect:** The `navigate` action allows an attacker to direct the server's browser to arbitrary URLs, potentially including internal network resources or malicious external sites. - **Arbitrary Browser Interaction:** The `click` and `type` actions take user-controlled selectors and text, enabling arbitrary interaction with web pages, which could lead to data exfiltration or manipulation if sensitive pages are accessed. - **Code Injection (Critical):** The `generateSelenium` function directly embeds user-provided `cmd.target` and `cmd.value` into a Python script string without apparent sanitization. If the `commands` array is controllable by an untrusted entity, this is a severe arbitrary code injection vulnerability, allowing them to execute any Python code on the server. - **Reliance on AI Safety:** While Gemini AI is used to interpret commands, if the AI itself is susceptible to prompt injection attacks, the underlying direct browser control functions remain exploitable.