Stealth Chromium MCP server with hybrid AOM + Set-of-Mark vision. Patchright-grade anti-detection. Token-lean by default.
stealth-agent-browser-mcp
A Model Context Protocol (MCP) server that gives AI agents a stealth-grade Chromium browser with a hybrid Accessibility-Object-Model + Set-of-Mark vision interface. Built for Claude, works with any MCP-compatible host.
- Stealth first. Uses
rebrowser-playwrightto patch theRuntime.EnableCDP leak that bypassesplaywright-extra-class stealth plugins. Passes modern bot-detection suites (CreepJS, bot.sannysoft.com) where vanilla Playwright fails. - Token-lean by default.
browser_snapshotreturns Playwright aria snapshot YAML (~2–5 KB) instead of raw HTML (100KB+). Every interactive element carries a[ref=eN]id that actions consume directly — no selectors, no drift. - Hybrid vision when it matters. Ask for
mode: "hybrid"and the server overlays numbered red boxes on the screenshot so the model can ground visually (Set-of-Mark prompting, Yang et al.). The ref ids on the image match the ids in the YAML. No parallel numbering scheme to go out of sync. - Readability-based content extraction.
browser_scroll_readruns Mozilla Readability through JSDOM and returns clean Markdown — optionally delta-only, so re-reads cost nothing when nothing changed. - Proxy-ready. Per-session proxy auth, useful with residential pools.
Authorized use only. Stealth tooling has legitimate applications (accessibility auditing, your-own-account automation, QA against sites you own or have permission to test). Do not use this server to violate a site's terms of service or applicable law. See SECURITY.md.
Install
npm install -g stealth-agent-browser-mcp
# Chromium binary is fetched automatically on first launch
npx playwright-core install chromium
Or run without install via npx stealth-agent-browser-mcp.
Quickstart (Claude Desktop / Claude Code / Cursor)
Add to your MCP config:
{
"mcpServers": {
"stealth-browser": {
"command": "npx",
"args": ["-y", "stealth-agent-browser-mcp"],
"env": {
"SAB_HEADLESS": "true",
"SAB_STEALTH_LEVEL": "patched"
}
}
}
}
Restart the host. The agent will see the tools listed below.
Tools
| Tool | Purpose |
|---|---|
| browser_navigate | Navigate a URL and return a snapshot. |
| browser_snapshot | aom (YAML only, cheapest), vision (raw screenshot), or hybrid (YAML + Set-of-Mark screenshot). |
| browser_click | Click an element by its [ref=eN]. |
| browser_type | Type into an input/textarea by ref. |
| browser_select | Choose options in a <select> by ref. |
| browser_scroll_read | Scroll and return Readability Markdown (delta-only by default). |
| browser_wait_for | Wait for text or a ref to become visible. |
| browser_tabs | list / new / close / switch. |
| browser_eval | Evaluate a JS expression in the page's MAIN world; JSON result. |
| browser_set_proxy | Update single-proxy config (effective after browser_restart). |
| browser_set_proxy_pool | Replace residential proxy pool at runtime (effective after browser_restart). |
| browser_solve_captcha | Fallback captcha solver (CapSolver / 2Captcha). Detects Turnstile/hCaptcha/reCAPTCHA on the page. |
| browser_restart | Close + re-open the active browser session with current config. |
All action tools are addressed by the ref emitted in the last AOM snapshot. Refs are Playwright's own aria-ref=eN ids — there is no parallel numbering scheme.
Configuration
All via environment variables:
| Var | Default | Notes |
|---|---|---|
| SAB_HEADLESS | true | false for a visible window (debugging). |
| SAB_STEALTH_LEVEL | patched | off | patched | paranoid. |
| SAB_PROXY_SERVER | — | Single-proxy mode. e.g. http://host:port |
| SAB_PROXY_USERNAME / SAB_PROXY_PASSWORD | — | |
| SAB_PROXY_POOL | — | Residential pool. Comma-separated URLs (http://u:p@host:port,...) or a JSON array of {server, username, password}. |
| SAB_PROXY_ROTATION | per-restart | per-session | per-restart | static. |
| SAB_PROXY_STICKY_TEMPLATE | — | Username template for sticky-IP providers. ${sessionId} interpolates. Example: brd-customer-c1-zone-res-session-${sessionId}. |
| SAB_HUMAN_MOUSE | true | Bezier-path click with pre-click hesitation. Defeats Datadome trajectory analysis. |
| SAB_CAPTCHA_PROVIDER | none | capsolver | twocaptcha | none. |
| SAB_CAPTCHA_API_KEY | — | Provider API key. |
| SAB_USER_DATA_DIR | — | Persistent profile directory (cookies build reputation). |
| SAB_DEFAULT_TIMEOUT_MS | 15000 | Per-action timeout. |
| SAB_MAX_ANNOTATED | 75 | Max labelled boxes in hybrid mode. |
| SAB_VIEWPORT_W / SAB_VIEWPORT_H | 1366 / 768 | |
| SAB_LOCALE | en-US | |
| SAB_TIMEZONE | America/New_York | |
| LOG_LEVEL | info | debug, warn, etc. Always writes to stderr. |
Architecture
src/
├── index.ts # Entry (stdio)
├── server.ts # MCP server + tool registration
├── tools.ts # Tool handlers
├── browser.ts # Stealth Chromium launcher (rebrowser-playwright)
├── session.ts # Per-connection browser/context/page state
├── snapshot.ts # AOM + Set-of-Mark pipeline
├── annotate.ts # SVG overlay compositing (sharp)
├── reader.ts # Readability → Markdown (pierces open shadow roots)
├── fingerprint.ts # Rotatable UA/viewport/timezone profiles
├── proxy.ts # Residential pool + rotation + sticky-session template
├── human-mouse.ts # Bezier-curve cursor paths (ghost-cursor math)
├── captcha.ts # CapSolver / 2Captcha REST adapters
├── config.ts # Zod-validated env config
└── logger.ts # pino → stderr (never stdout)
All logs go to stderr — stdout is reserved for JSON-RPC. Never add console.log.
TLS / JA3 fingerprint — why there is no Node-layer spoofer here
A common ask for scrapers is: "spoof the TLS ClientHello (JA3) to look like Chrome, via curl-impersonate or node-tls-client."
That applies to Node-layer HTTP scrapers (fetch, got, axios) where the TCP connection originates from Node's OpenSSL, which emits a ClientHello signature distinct from Chrome's BoringSSL — and Cloudflare / Akamai Bot Manager drop it at the network layer before a single byte of JavaScript runs.
This MCP does not have that architecture. Every request exits through Chromium. Chromium's TLS stack is Chrome's TLS stack (literally the same BoringSSL build), so the ClientHello JA3 is Chrome's JA3 by construction. No JS-level rewriting is possible or necessary.
The one place TLS can still betray you is if you route through a proxy that terminates and re-initiates TLS (MITM). Residential proxy providers (Bright Data, DataImpulse, Oxylabs residential, SOAX) route at TCP — they do not MITM TLS — and the Chromium handshake reaches the origin unmodified. The products that do MITM TLS are managed scraping browsers (Bright Data's Scraping Browser, Oxylabs Web Unblocker), which ship their own headless Chrome and replace this MCP rather than layering on top of it.
Bottom line: with rebrowser-playwright + residential pool (P1) + human mouse (P2), the TLS fingerprint, CDP runtime, DOM surface, and behavioral layer all match real Chrome. Captcha solving (P3) is a fallback for the 1–5% of sessions that still get flagged.
Benchmarks
npm run bench:stealth launches the configured browser against public bot-detection test pages (bot.sannysoft.com, CreepJS, pixelscan, BrowserLeaks WebRTC) and reports pass/fail. These are the same harnesses used by the rebrowser-patches and Patchright projects — see rebrowser-bot-detector for the reference suite.
Typical local-fixture test run (see test/):
| Test | Result |
|---|---|
| AOM YAML contains refs for all interactive elements | ✓ |
| hybrid mode returns PNG + YAML, refs match | ✓ |
| click/type by ref produces expected DOM change | ✓ |
| Readability extracts article to Markdown | ✓ |
| Delta-only scroll returns (no readable content change) on repeat | ✓ |
Comparison
| | stealth-agent-browser-mcp | playwright-mcp | browser-use MCP | computer use | |---|---|---|---|---| | CDP-level stealth (Cloudflare/DataDome) | ✓ | ✗ | partial | ✗ | | Accessibility-tree snapshots | ✓ | ✓ | ✓ | ✗ | | Set-of-Mark vision (ref-labeled screenshot) | ✓ | ✗ | ✗ | pure vision | | Readability-based scroll-and-read | ✓ | ✗ | ✗ | ✗ | | Token-lean by default | ✓ | ✓ | ✗ | ✗ | | Bundled agent loop | ✗ (host's model drives) | ✗ | ✓ | ✗ |
Development
npm install
npx playwright-core install chromium
npm run build
npm test
Contributing
See CONTRIBUTING.md. All contributions under Apache-2.0.