playwright-mcp
Provides browser automation capabilities through Playwright, enabling LLMs to interact with web pages using structured accessibility data without requiring vision models.
88
/ 100 · Grade B
B = 80–89
“I need to automate web browser interactions and extract structured data from web pages without using vision models or screenshots.”
playwright-mcp earned Certified status with a trust score of 88/100 (Grade B). No adversarial findings — all attack patterns were handled gracefully. Supply chain contains 31 components with 4 known vulnerabilities. Security scan: clean.
Trust Score Breakdown
Eight weighted signals composing the aggregate trust score
Scheme v2.0 · Weights provisional · Consumer confirmations and uptime use pipeline-derived baselines.
Findings
Security scan results, adversarial testing, and pipeline review
Security Scan — Cisco MCP Scanner
Adversarial Testing — 6 categories, 0 findings
No adversarial findings — all attack patterns handled gracefully.
Methodology v1.0 · 6 categories · ~55 attack patterns
OWASP MCP Top 10 Coverage
Evaluation activity mapped to the OWASP MCP Top 10 risk framework
Excessive Agency & Permissions
Cisco scanner behavioral analysis of permission scope
Unauthorized Data Access
Category 3 (data exfiltration) attack patterns
Tool Poisoning
Category 1 (prompt injection) and Category 5 (context poisoning) attack patterns
Supply Chain Vulnerabilities
SBOM generation (syft/cdxgen) and vulnerability scanning (grype/osv-scanner/npm audit)
Command Injection
Category 2 (privilege escalation) and Category 6 (repo config injection) attack patterns
Intent Subversion
Category 1 (prompt injection) and Category 4 (capability squatting) attack patterns
Insecure Data Handling
Cisco scanner data flow and sensitive data handling analysis
Insufficient Logging
Not directly tested — logging adequacy requires runtime observation beyond current pipeline scope
Resource Exhaustion
Resource profiling (CPU, memory) during functional and adversarial testing
Context Injection
Category 5 (context poisoning) attack patterns
OWASP MCP Top 10 (Beta) — owasp.org/www-project-mcp-top-10
Supply Chain
SBOM analysis and vulnerability assessment
Components
31
Direct deps
2
Transitive deps
29
Total vulns
4
Vulnerability breakdown
Format: CycloneDX 1.5 · Generated: Mar 28, 2026
Behavioral Fingerprint
Runtime performance baseline for drift detection
Samples
1934
Error rate
0.2%
Peak memory
6.5 MB
Avg CPU
—%
Response time distribution
Output size distribution
Per-tool performance
| Tool | p50 | p95 | Error rate | Samples |
|---|---|---|---|---|
| browser_drag | 3ms | 4ms | 0.0% | 207 |
| browser_tabs | 1ms | 8ms | 0.0% | 79 |
| browser_type | 3ms | 4ms | 0.0% | 164 |
| browser_click | 3ms | 4ms | 0.0% | 162 |
| browser_close | 1ms | 3ms | 0.0% | 6 |
| browser_hover | 3ms | 4ms | 0.0% | 106 |
| browser_resize | 1ms | 17ms | 0.0% | 49 |
| browser_install | 1164ms | 1464ms | 0.0% | 6 |
| browser_evaluate | 3ms | 6ms | 0.0% | 168 |
| browser_navigate | 10ms | 5872ms | 0.0% | 76 |
| browser_run_code | 2ms | 5ms | 0.0% | 74 |
| browser_snapshot | 7ms | 9ms | 0.0% | 55 |
| browser_wait_for | 9ms | 5016ms | 2.4% | 122 |
| browser_fill_form | 3ms | 7ms | 0.0% | 13 |
| browser_press_key | 1ms | 10ms | 0.0% | 57 |
| browser_file_upload | 4ms | 6ms | 0.0% | 24 |
| browser_handle_dialog | 5ms | 6ms | 0.0% | 61 |
| browser_navigate_back | 5850ms | 5930ms | 0.0% | 6 |
| browser_select_option | 3ms | 3ms | 0.0% | 111 |
| browser_take_screenshot | 3ms | 75ms | 0.0% | 207 |
| browser_console_messages | 1ms | 10ms | 0.0% | 108 |
| browser_network_requests | 5ms | 585ms | 0.0% | 73 |
Fingerprint v1.0 · Baseline: Mar 28, 2026 · Status: baseline
Interface
Enumerated tools, resources, and prompts
Tools (22)
browser_close
Close the page
browser_resize
Resize the browser window
browser_console_messages
Returns all console messages
browser_handle_dialog
Handle a dialog
browser_evaluate
Evaluate JavaScript expression on page or element
browser_file_upload
Upload one or multiple files
browser_fill_form
Fill multiple form fields
browser_install
Install the browser specified in the config. Call this if you get an error about the browser not being installed.
browser_press_key
Press a key on the keyboard
browser_type
Type text into editable element
browser_navigate
Navigate to a URL
browser_navigate_back
Go back to the previous page in the history
browser_network_requests
Returns all network requests since loading the page
browser_run_code
Run Playwright code snippet
browser_take_screenshot
Take a screenshot of the current page. You can't perform actions based on the screenshot, use browser_snapshot for actions.
browser_snapshot
Capture accessibility snapshot of the current page, this is better than screenshot
browser_click
Perform click on a web page
browser_drag
Perform drag and drop between two elements
browser_hover
Hover over element on page
browser_select_option
Select an option in a dropdown
browser_tabs
List, create, close, or select a browser tab.
browser_wait_for
Wait for text to appear or disappear or a specified time to pass
Transport: stdio
Scope & Permissions
What this capability can and cannot access — derived from pipeline analysis
no
no
no
yes
no
yes
Side effects
Makes outbound network requests
Accesses environment variables
Behavioral Guarantees
Claims extracted from publisher documentation — each tagged with provenance
Provides browser automation capabilities using Playwright
authorEnables LLMs to interact with web pages through structured accessibility snapshots
authorUses Playwright's accessibility tree, not pixel-based input
authorOperates purely on structured data without requiring vision models
authorProvides deterministic tool application
authorAvoids ambiguity common with screenshot-based approaches
authorBypasses the need for screenshots or visually-tuned models
authorSupports host filtering via --allowed-hosts configuration
authorSupports origin filtering via --allowed-origins configuration
authorAccesses environment variables PLAYWRIGHT_MCP_ALLOWED_HOSTS
authorKnown failure modes
Host check can be disabled by passing '*' to --allowed-hosts
Origin filtering does not serve as a security boundary
Sources: author, protocol
Badge & Integration
Embed certification status in your README, docs, or CI pipeline
Certification Notes
Provenance observations from the pipeline
Publisher "Microsoft Corporation" is not verified — first certification from this publisher
Single contributor — no peer review evidence in commit history
Repository is 1 days old — recently created
Package description appears to be boilerplate or template text
Signed Artifact
Certification provenance and verification metadata
Pipeline Artifacts
Raw data files from this certification run — downloadable for independent verification
contract.json
Full unsigned contract
stage1-ingest.json
Ingest stage output
stage2a-sbom.json
SBOM generation results
stage2a-vulns.json
Vulnerability scan results
stage2b-security.json
Security scan results
stage3a-functional.json
Functional test results
stage3b-adversarial.json
Adversarial test results
stage3c-fingerprint.json
Behavioral fingerprint
stage4-certify.json
Certification decision + trust score
stage3a-measurements.json
Raw functional test measurements
stage3b-measurements.json
Raw adversarial test measurements
run-log.json
Pipeline execution log
Not all files may be present for every certification.