PPuppeteer MCPMCP server for browser automation via Puppeteer. Executes arbitrary JavaScript with direct access to Puppeteer Browser instance. Single "execute" tool runs your code in a sandboxed Node.js VM with a browser global - full Puppeteer API access in one call.

mcp-so:pptr-mcp_iatsiuk

View source

100/100

First Seen

Feb 18, 2026

Last Scanned

Feb 18, 2026

Findings

Score

100/100

LOW 2

Findings (2)

LOW

Global package installation EXTDL_004

external-download L32

Detects global installation of packages which affects the host system

npm install -g p

FIX

Replace npm install -g with a local install (npm install --save-dev) or use npx with a pinned version. Global installs modify the system and risk supply chain attacks.

FP?

Likely FP if the global install is for a well-known CLI tool (e.g., typescript, eslint) in setup documentation, though the supply chain risk remains real.

LOW

npx MCP server without version pin MCPCFG_001

mcp-config L56

Detects MCP server configs using npx to run packages without version pinning

"command": "npx"

FIX

Pin the npx package in the MCP config to an exact version (e.g., @scope/server@1.2.3). Unpinned npx commands can silently fetch a compromised package version.

FP?

Likely FP if the MCP config is a local development setup example, though unpinned npx in production configs is a real supply chain risk.