mirror of https://github.com/danny-avila/LibreChat.git synced 2026-04-07 00:15:23 +02:00

Will Wilson 0dc05d9e77 feat: add agent-browser MCP package with SSRF protection

Create packages/mcp-servers/agent-browser/ with:
- Generalised server.ts (no homelab-specific config)
- SSRF validation on navigate tool
- Optional Perplexica integration (env var toggle)
- Multi-stage Dockerfile with non-root user
- Updated docs: security warnings, correct config schema

Address review feedback:
- Fix SSRF vulnerability on navigate tool
- Remove autoApprove (not in mcpServers schema)
- Add mcpSettings.allowedDomains
- Fix broken docs links and file extensions
- Fix double-pipe table formatting
- Add Docker port exposure security guidance

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

2026-03-08 22:12:11 +00:00

1.3 KiB

Raw Blame History

@librechat/mcp-agent-browser

Vercel agent-browser wrapped as an MCP SSE server for LibreChat.

Uses Playwright with AI-optimised accessibility tree @ref snapshots — significantly better than raw CSS selectors for LLM-driven browser automation.

Tools

Tool	Description
`navigate`	Navigate to a URL (SSRF-protected)
`snapshot`	Get accessibility snapshot with `@ref` identifiers
`click`	Click element by `@ref` or CSS selector
`fill`	Fill form input by `@ref` or CSS selector
`get_text`	Get text content of an element
`press_key`	Press a keyboard key
`screenshot`	Take page screenshot
`get_url`	Get current URL
`close_browser`	Close browser session
`perplexica_search`	(Optional) Web search via Perplexica

Quick Start

docker build -t agent-browser-mcp .
docker run -p 8932:8932 agent-browser-mcp

LibreChat Configuration

mcpServers:
  agent-browser:
    type: sse
    url: http://agent-browser-mcp:8932/sse

Security

SSRF protection: The navigate tool rejects private IPs (10.x, 192.168.x, 172.16-31.x, 127.x) and internal hostnames.
Runs as non-root appuser in Docker.
No express.json() middleware — see source comments for explanation.

1.3 KiB Raw Blame History