← MCP Scorecard / browserbase/mcp-server-browserbase
APass

browserbase/mcp-server-browserbase

composite 98 / 100 · pinned commit 1e196b3d3c4d · ruleset pack-mcp-core@0.1.0 · 1,754/wk
Tool-description injection w20100
Credential / secret handling w20100
Network egress / SSRF w20100
Permission scope vs declared w2590
Supply-chain provenance w15100

Findings

Each finding names the rule it triggered, what that rule means, its CWE reference, and the line of code it points at. An observed code path, published as a flow, never as intent.

Medium  MCP-BIND-NO-AUTH

binds all interfaces (0.0.0.0) with no detected inbound auth

src/index.ts:81

Embed this grade

MCP security: grade AMCP securityA
Grade A — Pass
[![MCP security: A](https://sentinel-engine-ggaj.onrender.com/registry/badge/browserbase__mcp-server-browserbase.svg)](https://sentinel-engine-ggaj.onrender.com/registry/browserbase__mcp-server-browserbase.html)

🔁 Verify it yourself: clone browserbase/mcp-server-browserbase at 1e196b3d3c4d and run the open scanner (anwen-labs/sentinel-mcp, ruleset pack-mcp-core@0.1.0). Same input → same grade, every time.