MCP Browser Automation Security: Why Hosted APIs Have a Different Threat Model

MCP Browser Automation Security: Why Hosted APIs Have a Different Threat Model The MCP ecosystem is moving fast. Thousands of MCP servers are now in production, giving AI agents access to browsers, filesystems, and external APIs. Security researchers have started paying attention — and what they're finding is worth understanding before you ship. The local execution problem Most MCP browser automation tools work by running a local process — a headless browser, a Playwright instance, a Puppeteer script — on the same machine as your AI agent. The agent calls the MCP tool, which has access to: Your local filesystem Your browser's cookies and stored credentials Your camera and microphone (in some implementations) Your network, running as your user When that works as intended, it's fine. When it doesn't — through a prompt injection attack, a malicious MCP server in a multi-server setup, or a vulnerability in the MCP client itself — the blast radius is your entire local environment. The Skill