Security audit findings — tool description injection + missing output sanitization

[manja316]

Hi @ChromeDevTools team,

I recently ran a security audit on chrome-devtools-mcp as part of research on MCP server security posture across the ecosystem.

Found a couple of items worth flagging:

1. Tool description injection risk
The server's tool descriptions aren't validated against adversarial prompt patterns. Since chrome-devtools-mcp gives coding agents direct browser control, an attacker who poisons tool descriptions could redirect the LLM into navigating to malicious pages, executing arbitrary JavaScript, or exfiltrating browser session data.

2. Missing output sanitization
DOM content, console output, and network responses are returned to the model context without scanning for injection patterns. A malicious web page could embed instructions that the LLM acts on — giving it a direct path from the web to the agent's action space.

Both are in a full audit report — 8-page PDF with CVSS ratings, EU AI Act mapping, and remediation steps — for $29 at luciferforge.github.io/mcp-security-audit.

Demo report: https://luciferforge.github.io/mcp-audit-reports/

— Lucifer / LuciferForge Security

[OrKoN]

Thanks for reporting! I am not sure how the tool descriptions can be injected as they are statically defined. The output is not sanitized as it is often useful for debugging (same way it is not sanitized in the DevTools UI). It is not recommended to run Chrome DevTools MCP with sensitive data and untrusted clients.