Alpha Preview: Fidensa is currently in early testing. Scores are for demonstration purposes and are not considered final or reliable.
playwright-mcp
Microsoft's official MCP server that provides browser automation capabilities using Playwright, enabling LLMs to interact with web pages through structured accessibility snapshots without requiring vision models.
71
/ 100 · Grade D
D = 60–69
“I need to automate web browser interactions and extract structured data from web pages without using vision models or screenshot-based approaches.”
playwright-mcp earned Verified status with a trust score of 71/100 (Grade D). Adversarial testing produced 1 finding (1 critical). Supply chain is clean — 31 components with no known vulnerabilities. Security scan: clean. Tier is Verified rather than Certified due to unmitigated findings above severity thresholds.
Trust Score Breakdown
Eight weighted signals composing the aggregate trust score
Scheme v2.0 · Weights provisional · Consumer confirmations and uptime use pipeline-derived baselines.
Findings
Security scan results, adversarial testing, and pipeline review
Security Scan — Cisco MCP Scanner
Adversarial Testing — 6 categories, 1 findings
Tool "browser_network_requests" responded to adversarial input "Absolute path escape" with content containing sensitive data patterns: credential.
Methodology v1.0 · 6 categories · ~55 attack patterns
OWASP MCP Top 10 Coverage
Evaluation activity mapped to the OWASP MCP Top 10 risk framework
Excessive Agency & Permissions
Cisco scanner behavioral analysis of permission scope
Unauthorized Data Access
Category 3 (data exfiltration) attack patterns
Tool Poisoning
Category 1 (prompt injection) and Category 5 (context poisoning) attack patterns
Supply Chain Vulnerabilities
SBOM generation (syft/cdxgen) and vulnerability scanning (grype/osv-scanner/npm audit)
Command Injection
Category 2 (privilege escalation) and Category 6 (repo config injection) attack patterns
Intent Subversion
Category 1 (prompt injection) and Category 4 (capability squatting) attack patterns
Insecure Data Handling
Cisco scanner data flow and sensitive data handling analysis
Insufficient Logging
Not directly tested — logging adequacy requires runtime observation beyond current pipeline scope
Resource Exhaustion
Resource profiling (CPU, memory) during functional and adversarial testing
Context Injection
Category 5 (context poisoning) attack patterns
OWASP MCP Top 10 (Beta) — owasp.org/www-project-mcp-top-10
Supply Chain
SBOM analysis and vulnerability assessment
Components
31
Direct deps
2
Transitive deps
29
Total vulns
0
Format: CycloneDX 1.5 · Generated: Apr 2, 2026
Behavioral Fingerprint
Runtime performance baseline for drift detection
Samples
2067
Error rate
1.5%
Peak memory
6.6 MB
Avg CPU
0.00%
Response time distribution
Output size distribution
Per-tool performance
| Tool | p50 | p95 | Error rate | Samples |
|---|---|---|---|---|
| browser_drag | 6ms | 13ms | 0.0% | 208 |
| browser_tabs | 3ms | 37ms | 0.0% | 79 |
| browser_type | 6ms | 14ms | 0.0% | 164 |
| browser_click | 4ms | 14ms | 0.0% | 163 |
| browser_close | 1066ms | 1283ms | 0.0% | 6 |
| browser_hover | 5ms | 13ms | 0.0% | 106 |
| browser_resize | 5ms | 845ms | 0.0% | 49 |
| browser_evaluate | 6ms | 15ms | 0.0% | 219 |
| browser_navigate | 6ms | 5912ms | 0.0% | 75 |
| browser_run_code | 5ms | 11ms | 0.0% | 120 |
| browser_snapshot | 11ms | 32ms | 0.0% | 75 |
| browser_wait_for | 4ms | 30012ms | 24.8% | 94 |
| browser_fill_form | 6ms | 23ms | 0.0% | 13 |
| browser_press_key | 4ms | 15ms | 0.0% | 57 |
| browser_file_upload | 5ms | 20ms | 0.0% | 23 |
| browser_handle_dialog | 12ms | 29ms | 0.0% | 61 |
| browser_navigate_back | 1101ms | 5920ms | 0.0% | 6 |
| browser_select_option | 6ms | 14ms | 0.0% | 111 |
| browser_take_screenshot | 6ms | 346ms | 0.0% | 205 |
| browser_console_messages | 4ms | 39ms | 0.0% | 113 |
| browser_network_requests | 12ms | 194ms | 0.0% | 120 |
Fingerprint v1.0 · Baseline: Apr 2, 2026 · Status: baseline
Interface
Enumerated tools, resources, and prompts
Tools (21)
browser_close
Close the page
browser_resize
Resize the browser window
browser_console_messages
Returns all console messages
browser_handle_dialog
Handle a dialog
browser_evaluate
Evaluate JavaScript expression on page or element
browser_file_upload
Upload one or multiple files
browser_fill_form
Fill multiple form fields
browser_press_key
Press a key on the keyboard
browser_type
Type text into editable element
browser_navigate
Navigate to a URL
browser_navigate_back
Go back to the previous page in the history
browser_network_requests
Returns all network requests since loading the page
browser_run_code
Run Playwright code snippet
browser_take_screenshot
Take a screenshot of the current page. You can't perform actions based on the screenshot, use browser_snapshot for actions.
browser_snapshot
Capture accessibility snapshot of the current page, this is better than screenshot
browser_click
Perform click on a web page
browser_drag
Perform drag and drop between two elements
browser_hover
Hover over element on page
browser_select_option
Select an option in a dropdown
browser_tabs
List, create, close, or select a browser tab.
browser_wait_for
Wait for text to appear or disappear or a specified time to pass
Transport: stdio
Scope & Permissions
What this capability can and cannot access — derived from pipeline analysis
no
no
no
yes
no
yes
Side effects
Makes outbound network requests
Accesses environment variables
Behavioral Guarantees
Claims extracted from publisher documentation — each tagged with provenance
Provides browser automation capabilities using Playwright
authorEnables LLMs to interact with web pages through structured accessibility snapshots
authorUses Playwright's accessibility tree, not pixel-based input
authorOperates purely on structured data without requiring vision models
authorProvides deterministic tool application
authorAvoids ambiguity common with screenshot-based approaches
authorBypasses the need for screenshots or visually-tuned models
authorSupports host filtering via --allowed-hosts configuration
authorSupports origin filtering via --allowed-origins configuration
authorAccesses environment variables PLAYWRIGHT_MCP_ALLOWED_HOSTS
authorKnown failure modes
Host check can be disabled by passing '*' to --allowed-hosts
Origin filtering does not serve as a security boundary
Sources: author, protocol
Badge & Integration
Embed certification status in your README, docs, or CI pipeline
Certification Notes
Provenance observations from the pipeline
Publisher "Microsoft Corporation" is not verified — first certification from this publisher
Single contributor — no peer review evidence in commit history
Package description appears to be boilerplate or template text
Signed Artifact
Certification provenance and verification metadata
The original instruction file with a certification footer appended. Replace the source file in your project so AI agents see the trust score, verification link, and SOP.
ES256-signed JWS artifact for programmatic verification. Use with the Fidensa MCP server or GitHub Action to validate integrity.
Pipeline Artifacts
Raw data files from this certification run — downloadable for independent verification
contract.json
Full unsigned contract
stage1-ingest.json
Ingest stage output
stage2a-sbom.json
SBOM generation results
stage2a-vulns.json
Vulnerability scan results
stage2b-security.json
Security scan results
stage3a-functional.json
Functional test results
stage3b-adversarial.json
Adversarial test results
stage3c-fingerprint.json
Behavioral fingerprint
stage4-certify.json
Certification decision + trust score
stage3a-measurements.json
Raw functional test measurements
stage3b-measurements.json
Raw adversarial test measurements
run-log.json
Pipeline execution log
Not all files may be present for every certification.