Does playwright-mcp-server send data, and where? — data-flow verdict
provisional · AUTOMATED — forensic confirmation pending. A preliminary, fact-based result, not a judgment.
100/100 integrity
100% evidence coverage
evidence-backed
Measures evidence support, not confidence — how this is scored
Verdict (the facts)
- Tool
- npm/playwright-mcp-server
- Integrity axis
- honest — Observed behaviour matches its description; no undisclosed recipient.
- Data-flow axis
- No network egress to external destinations was observed — the tool ran purely locally.
- Disclosure
- n/a — No external egress was observed; there is nothing to disclose.
- Capture self-test
- verified
- Severity
- none — integrity axis (no undeclared exfiltration; no egress at all).
- Version (pinned)
- 1.0.0 · commit
- Content hash
- sha256:0d9a58a854d8f054eff57493e080dd876b4b203200a808c310d6880d4c8b803e
- Signature
- ed25519:5W9beek16dKZpUgnXlNa3PowvvIeYyzPp490Tl… · Ed25519 public key · sha256:49cf8457b42a7048
- Scanned
- 2026-06-14T00:00:00Z — Pinned to playwright-mcp-server@1.0.0, published 2025-04-18. This verdict applies to that exact version; a newer release would require a re-scan.
- Re-verified
- 2026-06-14 — pinned version current
- Categories
- browser-automation no-egress published
- Observation history
- 1 scan(s); first seen 2026-06-14T00:00:00Z · latest 2026-06-14T00:00:00Z
Observed egress destinations
| host | country | jurisdiction | class | disclosure | frequency | kind |
|---|
Jurisdiction context:
Disclosure check (the §824 evidence)
- Read
- Quoted from the tool's own docs
- “”
- Match
- No external egress was observed; there is nothing to disclose.
- Residual gap
How we know this — claims by basis
A verdict is a reproducible evidence container, not just a claim. Each assertion is tagged: an observation is in the capture and reproducible; an inference is our reasoning over it; documented is the tool’s own statement; a classification is our adversarially-reviewed judgment. Observation never reads as inference.
Observed — directly in the capture, reproducible
- No network egress to an external destination was observed during the scan. — Capture self-test: verified — a decoy beacon emitted from the tool's own network context appeared in the intercept, so the absence is a verified negative, not a blind spot. (confidence: high)
Classified — our adversarially-reviewed judgment
- No telemetry, analytics or error-reporting side-channel was found. — Reviewed against the tool's observed behaviour in the run. (confidence: medium)
Method
Installed and run in an isolated container; fed traceable decoy data; all outbound traffic intercepted (TLS broken via own CA, iptables transparent redirect). A beacon self-test confirmed the capture was live.
Scope
Compares the tool's declared destinations against what was observed in one sandbox run. Checks transparency / integrity for a cooperative tool, NOT resistance to deliberate evasion. "honest"/"clean" means "observed without deviation within our reach", NOT "guaranteed no hidden egress".
Out of scope: exfiltration split/chunked across requests; tool-side encryption of the payload before egress; input/time/state-triggered processing not triggered in the run.
Machine-readable verdict: /verdict/playwright.json.
This page describes observed behaviour and its relation to the tool's own disclosures — it is not a legal judgment.
Search context: does playwright-mcp-server send data, playwright-mcp-server privacy, playwright-mcp-server data flow, playwright-mcp-server telemetry, where does playwright-mcp-server send data, is playwright-mcp-server safe, what data does playwright-mcp-server collect, how to disable playwright-mcp-server telemetry, playwright-mcp-server opt out tracking, playwright-mcp-server GDPR data residency, playwright-mcp-server third-party / jurisdiction.