Back to Dashboard
100

Playwright Model Context Protocol Server - Tool to automate Browsers and APIs in Claude Desktop, Cline, Cursor IDE and More 🔌

@executeautomation/playwright-mcp-server5382133 files scannedApril 2, 2026

Verified publisher — Execute Automation

This package is from Execute Automation, a verified publisher. Playwright MCP — needs child_process for browser launch. The findings below are expected for this type of tool — for example, a payment SDK will read API keys, and a browser tool will use child_process. These patterns are normal for a verified publisher, not signs of malice.

What We Found(4 issues)

Each card explains what was found and what it means in plain English. Click "Technical details" for the full breakdown.

HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

require('child_process'
run-tests.js:1
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn } from 'child_process'
src/toolHandler.ts:7
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
run-tests.js:5
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/toolHandler.ts:168

Finding Summary

0

Critical

4

High

0

Medium

0

Low

0

Info