AgentBoard

The system is designed to execute user-provided JavaScript (WebMCP tools) directly in the browser's main world, bypassing Content Security Policy (CSP) for powerful functionality. While this is intentional and uses secure injection methods (e.g., Blob URLs, Trusted Types where available), a malicious user script, if installed, could perform arbitrary actions on visited pages (e.g., data exfiltration, DOM manipulation). The `fetch_url` system tool can access any URL from the background service worker, which, if unconstrained by the LLM's safety mechanisms, could be coerced into server-side request forgery (SSRF). The `new Function()` call in `script-parser.ts` is used for parsing metadata objects from user scripts, which is a known risk, but it's applied to a strictly formatted section and not arbitrary code. Overall, the architecture shows careful security considerations for an extension of this nature, but the ultimate safety relies heavily on the user's vigilance regarding the scripts they enable.