Playwright MCP

v2026.6

Microsoft

MCPbrowser-automationplaywrighttestingweb-scraping

Strong

About This MCP

Microsoft's official MCP server for browser automation via Playwright. Exposes 25+ tools (navigation, clicking, typing, form filling, screenshots, network inspection, JS evaluation) that operate on structured accessibility-tree snapshots rather than pixels, making agent-driven browsing fast and deterministic. Supersedes the archived Puppeteer reference server.

Last Evaluated: June 10, 2026

Official Website

Trust Vector Analysis

Dimension Breakdown

🚀Performance & Reliability

snapshot accuracy

Review of snapshot mechanism (browser_snapshot) and element-reference stability across page interactions

Evidence

Playwright MCP README — Uses Playwright accessibility-tree snapshots instead of pixel-based screenshots, giving the LLM deterministic, structured page state with stable element references

highVerified: 2026-06-10

operation success rate

Hands-on testing of navigation, clicking, typing, and form-fill tools against common web applications

Evidence

Playwright MCP tool documentation — Core interaction tools (browser_navigate, browser_click, browser_type, browser_fill_form) inherit Playwright's auto-waiting and actionability checks, yielding high success rates on standard web UIs

highVerified: 2026-06-10

browser compatibility

Cross-browser capability review based on underlying Playwright engine support

Evidence

Playwright browser support — Built on Playwright, supporting Chromium, Firefox, and WebKit engines with consistent automation APIs

highVerified: 2026-06-10

error recovery

Error-path testing including timeouts, missing elements, modal dialogs, and navigation failures

Evidence

Playwright MCP repository — Failed actions return structured error messages and fresh page snapshots, allowing the agent to retry; dialog and file-upload handlers prevent common automation deadlocks

mediumVerified: 2026-06-10

automation stability

Multi-step workflow stability testing across tabs, dialogs, and dynamic pages

Evidence

Playwright auto-waiting documentation — Playwright's actionability checks (visible, stable, enabled) reduce flakiness common in agent-driven browsing; tab management and network-request inspection aid multi-step flows

mediumVerified: 2026-06-10

🛡️Security

prompt injection resistance

Threat modeling of untrusted web content entering the agent context via snapshots and screenshots

Evidence

Agentic browsing security analysis — Page content (accessibility snapshots, network responses) flows directly into the LLM context; untrusted web pages can embed instructions that hijack the agent (indirect prompt injection). No built-in content sanitization

highVerified: 2026-06-10

arbitrary code execution risk

Capability analysis of the browser_evaluate tool and its abuse potential under prompt injection

Evidence

Playwright MCP tool list — browser_evaluate executes arbitrary JavaScript in the page context, enabling data exfiltration or session manipulation if the agent is compromised; capability can be restricted via configuration

highVerified: 2026-06-10

sandboxing isolation

Review of --isolated, headless, and origin-filtering configuration flags as mitigations

Evidence

Playwright MCP configuration options — Supports isolated browser profiles (no persisted state), headless mode, and origin allow/block lists, which substantially limit blast radius when configured; default persistent profile retains cookies and logins

highVerified: 2026-06-10

credential exposure risk

Analysis of session/cookie access in persistent vs isolated profile modes

Evidence

Playwright MCP profile behavior — When run against a persistent profile, the agent operates with the user's logged-in sessions and cookies; typed credentials and page secrets appear in snapshots sent to the LLM

mediumVerified: 2026-06-10

unauthorized action risk

Authorization boundary analysis of write-capable browsing actions

Evidence

MCP security guidance — Agent can perform any web action the browser session allows (purchases, posts, account changes); host-level tool approval is the primary guardrail since the server itself does not gate destructive actions

mediumVerified: 2026-06-10

🔒Privacy & Compliance

browsing data exposure

Data flow analysis of snapshot, screenshot, and network tool outputs

Evidence

MCP data flow architecture — Full page content, screenshots, and network request data are sent to the LLM provider as tool results, exposing any visited page (including authenticated content) to a third party

highVerified: 2026-06-10

sensitive data protection

Privacy controls assessment of snapshot and screenshot content handling

Evidence

Playwright MCP repository — No built-in redaction of PII, credentials, or payment data visible on pages; protection relies on operator discipline (isolated profiles, restricted origins)

mediumVerified: 2026-06-10

local data control

Review of local execution model and data residency

Evidence

Playwright MCP architecture — Server runs locally (stdio default); browser state, profiles, and traces remain on the user's machine, with no vendor-side telemetry collection by the MCP server itself

highVerified: 2026-06-10

third party data sharing

Data sharing pathway analysis

Evidence

MCP client documentation — Browsing data is shared only with the connected LLM provider per that provider's privacy policy; the server itself transmits nothing to Microsoft

mediumVerified: 2026-06-10

👁️Trust & Transparency

documentation quality

Documentation completeness and accuracy review

Evidence

Playwright MCP README — Thorough documentation of all 25+ tools, configuration flags, client setup for major MCP hosts, and isolated/extension/server modes

highVerified: 2026-06-10

open source transparency

Source code and license review

Evidence

GitHub repository — Fully open source under Apache-2.0 with public issue tracker and active development by the Playwright team

highVerified: 2026-06-10

operation visibility

Logging and traceability assessment

Evidence

Playwright MCP tooling — Every browser action is an explicit, named tool call visible in MCP host logs; optional Playwright traces and browser_network_requests provide deep inspection of agent behavior

highVerified: 2026-06-10

vendor credibility

Maintainer reputation and project health analysis

Evidence

GitHub API — Maintained by Microsoft's Playwright team; 33,734 GitHub stars as of 2026-06-10, one of the most adopted MCP servers

highVerified: 2026-06-10

⚙️Operational Excellence

ease of setup

Setup complexity assessment across MCP hosts

Evidence

npm package @playwright/mcp — Single-command setup via npx @playwright/mcp@latest; no API keys required; one-click install paths documented for VS Code, Cursor, Claude Code, and other hosts

highVerified: 2026-06-10

performance

Latency and token-efficiency comparison against pixel-based browser automation

Evidence

Playwright MCP design notes — Accessibility-snapshot approach avoids vision-model overhead, making interactions faster and cheaper in tokens than screenshot-based automation

mediumVerified: 2026-06-10

feature coverage

Feature completeness assessment against common browser-automation needs

Evidence

Playwright MCP tool reference — 25+ tools covering navigation, clicks, typing, form fill, snapshots, screenshots, network requests, JS evaluation, tabs, file upload, and dialog handling

highVerified: 2026-06-10

community adoption

Adoption metrics and ecosystem-integration analysis

Evidence

GitHub API — 33,734 stars; bundled or recommended by major MCP hosts and widely used as the default browser-automation server, replacing the archived Puppeteer reference server

highVerified: 2026-06-10

maintenance activity

Commit frequency and release-cadence analysis

Evidence

GitHub repository activity — Frequent releases tracking Playwright versions, active issue triage by the Microsoft Playwright team

highVerified: 2026-06-10

Strengths

+Accessibility-tree snapshots give fast, deterministic, token-efficient page interaction without vision models
+Comprehensive tool set: navigation, forms, screenshots, network inspection, tabs, dialogs, file upload
+Backed and actively maintained by Microsoft's Playwright team (33.7k stars)
+Cross-browser support (Chromium, Firefox, WebKit) with Playwright's auto-waiting reliability
+Strong mitigation options: isolated profiles, headless mode, origin allow/block lists
+Flexible transports: stdio by default plus standalone HTTP/SSE server mode

Limitations

!Untrusted page content flows into the LLM context, creating indirect prompt-injection risk
!browser_evaluate allows arbitrary JavaScript execution in pages — high-risk if the agent is hijacked
!Default persistent profile exposes logged-in sessions and cookies to agent actions
!All visited page content (including authenticated/private pages) is sent to the LLM provider
!No built-in redaction of PII or credentials visible in snapshots and screenshots
!Destructive web actions (purchases, posts) are only gated by host-level tool approval

Metadata

license: Apache-2.0

supported platforms

0: All platforms with Node.js 18+

programming languages

0: TypeScript

mcp version: 1.0

github repo: https://github.com/microsoft/playwright-mcp

github stars: 33734

package: @playwright/mcp

api dependency: Playwright (Chromium/Firefox/WebKit)

authentication: None required (local browser control)

first release: 2025-03

maintained by: Microsoft (Playwright team)

status: Active

supersedes: mcp-server-puppeteer (archived reference server)

transport types

0: stdio

1: http

2: sse

installation methods

0: npm

1: npx

2: docker

3: vscode-extension

Use Case Ratings

code generation

Excellent for web app testing, UI verification, and agent-driven E2E automation during development

research assistant

Strong for interactive web research and data gathering, but exposed to prompt injection from untrusted pages

data analysis

Useful for scraping and extracting structured data via snapshots and network inspection

customer support

Can reproduce user-reported web issues and walk through flows; requires careful session isolation

content creation

Handy for previewing, screenshotting, and verifying published web content

education

Great for teaching web automation and testing concepts with visible, explainable tool calls