Chrome MCP read-only tools execute without permission prompt, enabling silent cross-device browser state access

Resolved 💬 4 comments Opened Mar 23, 2026 by bzeeman Closed Apr 21, 2026

Summary

The claude-in-chrome MCP integration allows read-only tools (e.g., tabs_context_mcp) to execute without any user permission prompt. Combined with the extension's ability to connect across devices, this means Claude Code can silently read browser state (open tabs, URLs, page titles) from a machine the user isn't actively working on, without the user's knowledge or consent.

Steps to Reproduce

  1. Have the Claude-in-Chrome extension installed and active on Machine A
  2. Start a Claude Code session on Machine B (where the extension is not the intended target)
  3. Claude calls mcp__claude-in-chrome__tabs_context_mcp
  4. The call succeeds and returns tab information from Machine A — no permission prompt is shown

Expected Behavior

  • All Chrome MCP tools (including read-only ones) should require explicit user permission before executing
  • The user should be informed which device/browser instance the extension is connected to before any data is accessed
  • Ideally, the connection should be scoped to the local machine or require explicit cross-device authorization

Actual Behavior

  • tabs_context_mcp executes silently and returns browser state from a remote machine
  • Write operations (e.g., navigate) do trigger permission prompts, but read-only calls do not
  • No device identity is shown — the user has no way to know which machine is being accessed

Impact

  • Silent exfiltration of browsing activity (URLs, page titles) across devices
  • A prompt injection in any tool result could trigger Chrome MCP reads without the user ever seeing a prompt
  • Violates the principle that actions affecting other devices should require explicit consent

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗