MCP (Model Context Protocol) server for webpuppet browser automation.
This crate provides a standards-compliant MCP server that exposes webpuppet functionality as tools for AI assistants like GitHub Copilot, Claude Desktop, and other MCP-compatible clients.
- MCP-compliant: Implements JSON-RPC 2.0 over stdio (standard MCP transport)
- Tool exposure: Exposes AI prompting, screenshot, and research capabilities
- Security guardrails: Inherits webpuppet's permission system
- Response screening: Filters prompt injections and malicious content
- Browser detection: Automatically finds Brave/Chrome/Chromium
- Human intervention: Pause/resume for captchas, 2FA, and manual steps
| Tool | Description |
|---|---|
webpuppet_prompt |
Send a prompt through browser automation (providers + tools) |
webpuppet_screenshot |
Take screenshots of web pages |
webpuppet_list_providers |
List available AI providers |
webpuppet_provider_capabilities |
Get declared capabilities for a provider/tool |
webpuppet_detect_browsers |
Detect installed browsers |
webpuppet_check_permission |
Check if an operation is allowed |
webpuppet_intervention_status |
Check if human intervention is needed |
webpuppet_intervention_complete |
Signal that intervention is done |
webpuppet_pause |
Pause automation for manual interaction |
webpuppet_resume |
Resume automation after pause |
# Build and install
cargo install --path .
# Or run from source
cargo run -p webpuppet-mcp -- --stdioAdd to your .vscode/mcp.json:
{
"servers": {
"webpuppet": {
"command": "webpuppet-mcp",
"args": ["--stdio"],
"env": {}
}
}
}Or if running from cargo:
{
"servers": {
"webpuppet": {
"command": "cargo",
"args": ["run", "-p", "webpuppet-mcp", "--", "--stdio"],
"cwd": "/path/to/webpuppet",
"env": {}
}
}
}Add to your claude_desktop_config.json:
{
"mcpServers": {
"webpuppet": {
"command": "webpuppet-mcp",
"args": ["--stdio"]
}
}
}The MCP server includes tools for human-in-the-loop workflows:
- Captcha: reCAPTCHA, hCaptcha, Cloudflare challenges
- Two-Factor Auth: SMS codes, TOTP, email verification
- Login: Session expired, auth required
- Rate Limits: Too many requests
- Agent calls
webpuppet_intervention_statusto check state - If intervention needed, agent notifies user
- User completes manual task in visible browser
- User/agent calls
webpuppet_intervention_completewithsuccess=true - Automation resumes
Agent: "I need to send a prompt to Claude but see a captcha..."
Agent: [calls webpuppet_intervention_status]
Agent: "⚠️ A captcha is displayed. Please complete it in the browser."
User: [solves captcha manually]
User: "Done!"
Agent: [calls webpuppet_intervention_complete with success=true]
Agent: "Thank you! Continuing..."
All operations are subject to the webpuppet permission system:
- ✅ Allowed: Navigate, ReadContent, SendPrompt, ReadResponse, NewConversation, ContinueConversation, Screenshot
- ❌ Blocked: DeleteAccount, ChangePassword, ModifyPayment, RevokeTokens, FileSystemAccess, etc.
- 🌐 Domains: Only AI provider domains (claude.ai, x.com, gemini.google.com)
- 🌐 HTTPS-only: In secure mode,
http://URLs are denied ⚠️ Risk Threshold: Max risk level 5 (out of 10)
# Secure (default) - blocks destructive operations, allows AI interaction
webpuppet-mcp --policy secure
# Read-only - only allows reading, no prompts or modifications
webpuppet-mcp --policy readonly
# Permissive - allows most non-destructive operations (use with caution)
webpuppet-mcp --policy permissiveAll AI responses are automatically screened for:
- Invisible text: Zero-width characters, 1pt fonts
- Prompt injections: "Ignore previous instructions" patterns
- Encoded payloads: Base64, hex encoded content
- Hidden elements: CSS display:none, opacity:0
If screening detects issues, the response is sanitized and a warning is included.
{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "webpuppet_prompt",
"arguments": {
"provider": "claude",
"message": "Explain how io_uring works in Rust",
"context": "Focus on memory safety"
}
}
}{
"jsonrpc": "2.0",
"id": 2,
"method": "tools/call",
"params": {
"name": "webpuppet_check_permission",
"arguments": {
"operation": "DeleteAccount"
}
}
}Response:
{
"jsonrpc": "2.0",
"id": 2,
"result": {
"content": [{
"type": "text",
"text": "# Permission Check\n\n**Operation**: `DeleteAccount`\n**Status**: ❌ DENIED\n**Reason**: Operation explicitly denied by policy\n**Risk Level**: 10/10"
}],
"isError": false
}
}┌─────────────────────────────────────────────────┐
│ MCP Client │
│ (VS Code, Claude Desktop, etc.) │
└─────────────────────┬───────────────────────────┘
│ JSON-RPC 2.0 / stdio
┌─────────────────────▼───────────────────────────┐
│ webpuppet-mcp Server │
│ ┌───────────────────────────────────────────┐ │
│ │ Permission Guard │ │
│ │ - Operation allowlist/blocklist │ │
│ │ - Domain restrictions │ │
│ │ - Risk level enforcement │ │
│ │ - Audit logging │ │
│ └───────────────────────────────────────────┘ │
│ ┌───────────────────────────────────────────┐ │
│ │ Tool Registry │ │
│ │ - webpuppet_prompt │ │
│ │ - webpuppet_screenshot │ │
│ │ - webpuppet_list_providers │ │
│ │ - webpuppet_detect_browsers │ │
│ │ - webpuppet_check_permission │ │
│ └───────────────────────────────────────────┘ │
└─────────────────────┬───────────────────────────┘
│
┌─────────────────────▼───────────────────────────┐
│ webpuppet │
│ - Browser automation (Brave/Chrome) │
│ - AI provider integration │
│ - Content screening │
│ - Session management │
└─────────────────────────────────────────────────┘
MIT