next-devtools-mcp

The `browser_eval` tool, specifically its `evaluate` action, allows executing arbitrary JavaScript code within a browser context. While this is an intended feature for browser automation, it poses a significant security risk if the input script (the `script` argument) is not strictly controlled and validated by the calling AI agent or user. An attacker could potentially craft malicious JavaScript to exfiltrate data, perform unwanted actions, or exploit browser vulnerabilities. Additionally, the server uses `execSync` and `spawn` to run shell commands (e.g., `npm install -g @playwright/mcp`, `ss`, `netstat`). While the arguments for package installation are fixed, the `ss` and `netstat` commands construct parts of their arguments from internally derived PIDs. A theoretical risk exists if the PID derivation or the underlying `find-process` library could be manipulated, potentially leading to command injection. However, this is a less direct risk than the `browser_eval`'s `evaluate` action. No hardcoded secrets or direct obfuscation were found. Telemetry collection is opt-out and clearly documented.