High-risk tools in Playwright MCP Server
21 of the 33 tools in Playwright MCP Server are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
playwright_clickExecuteClick an element on the page
-
playwright_click_and_switch_tabExecuteClick a link and switch to the newly opened tab
-
playwright_closeExecuteClose the browser and release all resources
-
playwright_deleteExecutePerform an HTTP DELETE request
-
playwright_dragExecuteDrag an element to a target location
-
playwright_evaluateExecuteExecute JavaScript in the browser console
-
playwright_expect_responseExecuteAsk Playwright to start waiting for a HTTP response. This tool initiates the wait operation but does not wait for its completion.
-
playwright_fillExecutefill out an input field
-
playwright_go_backExecuteNavigate back in browser history
-
playwright_go_forwardExecuteNavigate forward in browser history
-
playwright_hoverExecuteHover an element on the page
-
playwright_iframe_clickExecuteClick an element in an iframe on the page
-
playwright_iframe_fillExecuteFill an element in an iframe on the page
-
playwright_navigateExecuteNavigate to a URL
-
playwright_patchExecutePerform an HTTP PATCH request
-
playwright_postExecutePerform an HTTP POST request
-
playwright_press_keyExecutePress a keyboard key
-
playwright_putExecutePerform an HTTP PUT request
-
playwright_resizeExecuteResize the browser viewport using manual dimensions or device presets. Supports 143+ device presets including iPhone, iPad, Android devices, and desktop browsers with proper use...
-
playwright_selectExecuteSelect an element on the page with Select tag
-
start_codegen_sessionExecuteStart a new code generation session to record Playwright actions
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.