Chrome MCP read-only tools execute without permission prompt, enabling silent cross-device browser state access
Resolved 💬 4 comments Opened Mar 23, 2026 by bzeeman Closed Apr 21, 2026
Summary
The claude-in-chrome MCP integration allows read-only tools (e.g., tabs_context_mcp) to execute without any user permission prompt. Combined with the extension's ability to connect across devices, this means Claude Code can silently read browser state (open tabs, URLs, page titles) from a machine the user isn't actively working on, without the user's knowledge or consent.
Steps to Reproduce
- Have the Claude-in-Chrome extension installed and active on Machine A
- Start a Claude Code session on Machine B (where the extension is not the intended target)
- Claude calls
mcp__claude-in-chrome__tabs_context_mcp - The call succeeds and returns tab information from Machine A — no permission prompt is shown
Expected Behavior
- All Chrome MCP tools (including read-only ones) should require explicit user permission before executing
- The user should be informed which device/browser instance the extension is connected to before any data is accessed
- Ideally, the connection should be scoped to the local machine or require explicit cross-device authorization
Actual Behavior
tabs_context_mcpexecutes silently and returns browser state from a remote machine- Write operations (e.g.,
navigate) do trigger permission prompts, but read-only calls do not - No device identity is shown — the user has no way to know which machine is being accessed
Impact
- Silent exfiltration of browsing activity (URLs, page titles) across devices
- A prompt injection in any tool result could trigger Chrome MCP reads without the user ever seeing a prompt
- Violates the principle that actions affecting other devices should require explicit consent
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗