Hacker News new | past | comments | ask | show | jobs | submit
aadishv | on: Chrome DevTools MCP (2025)
Someone already made a great agent skill for this, which I'm using daily, and it's been very cool!

https://github.com/pasky/chrome-cdp-skill

For example, I use codex to manage a local music library, and it was able to use the skill to open a YT Music tab in my browser, search for each album, and get the URL to pass to yt-dlp.

Do note that it only works for Chrome browsers rn, so you have to edit the script to point to a different Chromium browser's binary (e.g. I use Helium) but it's simple enough

Etheryte | parent | next
On one hand, cool demo, on the other, this is horrifying in more ways than I can begin to describe. You're literally one prompt injection away from someone having unlimited access to all of your everything.
mh- | root | parent | next
Not the person you're replying to, but: I just use a separate, dedicated Chrome profile that isn't logged into anything except what I'm working on. Then I keep the persistence, but without commingling in a way that dramatically increases the risk.

edit: upon rereading, I now realize the (different) prompt injection risk you were calling out re: the handoff to yt-dlp. Separate profiles won't save you from that, though there are other approaches.

sofixa | root | parent | next
Even without the bash escape risk (which can be mitigated with the various ways of only allowing yt-dlp to be executed), YT Music is a paid service gated behind a Google account, with associated payment method. Even just stealing the auth cookie is pretty serious in terms of damage it could do.
loading story #47391875
bartek_gdn | root | parent
That's also my approach, built quickly a cli for this with lightweight session management

https://news.ycombinator.com/item?id=47207790

aadishv | root | parent | next
Of course I still watch it and have my finger on the escape key at all times :)
glenpierce | root | parent | next
I am in awe of the confidence you have in your reflexes.
loading story #47392249
bergheim | root | parent
For now you are. All these things fall with time, of course. You will stop caring once you start feeling safe, we all do.

Also. AAarrgh, my new thing to be annoyed at is AI drivel written slop.

"No browser automation framework, no separate browser instance, no re-login."

Oh really, nice. No separate computer either? No separate power station, no house, no star wars? No something else we didn't ask for? Just one a toggle and you go? Whoaaaaaa.

Edit: lol even the skill itself is vibe coded:

Lightweight Chrome DevTools Protocol CLI. Connects directly via WebSocket — no Puppeteer, works with 100+ tabs, instant connection.

I feel like there's nothing fucking left on the internet anymore that is not some mean of whatever the LLM is trained to talk like now.

loading story #47391620
sheepscreek | root | parent
As long as it’s gated and not turned on by default, it’s all good. They could also add a warning/sanity check similar to “allow pasting” in the console.
hrmtst93837 | root | parent
Relying on warnings or opt-ins for something with this blast radius is security theater more than protection. The cleverest malware barely waits for you to click OK before making itself at home, so that checkbox is a speed bump on a highway.

Chrome's 'allow pasting' gets ignored reflexively by most users anyway. If this agent can touch DevTools the attack surface expands far faster than most people realize or will ever audit.

esperent | parent | next
> Most browser automation tools launch a fresh, isolated browser. This one connects to the Chrome you're already running

Is this the same as what Claude in Chrome does?

I tried that for a while and since I use Firefox and Chromium, the security problem of it seeing your tabs wasn't a big deal. Fresh Chrome install, only ever used for this exact purpose. Plus you can watch it working in real (actually very slow) time so if you did point it at something risky you can take over at any point.

For actual testing of web apps though, a skill with playwright cli in headless mode is much more effective. About 1-2k context per interaction after a bit of tuning.

paulirish | parent | next
To be clear, this isn't a skill for the devtools mcp, but an independent project. It doesn't look bad, but obviously browser automation + agents is a very busy space with lots of parallel efforts.

DevTools MCP and its new CLI are maintained by the team behind Chrome DevTools & Puppeteer and it certainly has a more comprehensive feature set. I'd expect it to be more reliable, but.. hey open source competition breeds innovation and I love that. :)

(I used to work on the DevTools team. And I still do, too)

xmorse | parent | next
Does anyone really use these hacked up with duct tape skills? why not use something more reliable like playwriter.dev?
Mashimo | parent
Mhh, yt-dlp already has a build in youtube search, could you not use that instead of anything with AI?