Self-hosted Puppeteer MCP server with remote SSE access, API key authentication, and Docker deployment. Complete tool suite for browser automation via Model Context Protocol.
Drift inferred · capture-to-capture
- HIGH code analysis flagged dynamic code execution in sultannaufal/puppeteer-mcp-server
transport streamable-http · http · sse counts 0 tools · 0 res
· 0 prompts
permission surface via code analysis
no tools enumerated yet for this server.
prompt-surface
shipped agent-instruction files + hidden-content / dangerous-code findings —
quoted from the analyzed source
analyzed commit db0bcec · analyzer v17 · 2h ago
danger signals1
- dynamic code executioneval()sultannaufal-puppeteer-mcp-server-db0bcec/src/tools/evaluate.ts:102
const result = eval(${JSON.stringify(validatedParams.script)});
evidence-backed
findings quoted directly from the published source artifact — not inferred
filesystem 1
- fs sultannaufal-puppeteer-mcp-server-db0bcec/src/services/image-storage.ts :6
import { promises as fs } from 'fs';
secrets 1
- secrets sultannaufal-puppeteer-mcp-server-db0bcec/src/utils/config.ts :59
apiKey: validateRequiredEnv('API_KEY', process.env.API_KEY),
declared dependencies 33
- @modelcontextprotocol/sdk@^1.0.1
- compression@^1.7.4
- cors@^2.8.5
- dotenv@^16.3.1
- express@^4.18.2
- express-rate-limit@^7.1.5
- express-slow-down@^2.0.1
- helmet@^7.1.0
- joi@^17.11.0
- puppeteer@^24.31.0
- tsconfig-paths@^4.2.0
- uuid@^9.0.1
- winston@^3.11.0
- @types/compression@^1.7.5
- @types/cors@^2.8.17
- @types/express@^4.17.21
- @types/jest@^29.5.8
- @types/node@^20.10.4
- @types/supertest@^2.0.16
- @types/uuid@^9.0.7
- @typescript-eslint/eslint-plugin@^6.13.1
- @typescript-eslint/parser@^6.13.1
- eslint@^8.55.0
- jest@^29.7.0
- nodemon@^3.0.2
- prettier@^3.1.0
- rimraf@^5.0.5
- supertest@^6.3.3
- ts-jest@^29.1.1
- ts-node@^10.9.1
- ts-node-dev@^2.0.0
- tsc-alias@^1.8.16
- typescript@^5.3.3