Playwright MCP silently hijacks all Chrome downloads to temp folder

Resolved 💬 3 comments Opened Mar 27, 2026 by cetej Closed Apr 30, 2026

Bug Report

Summary

When @playwright/mcp@latest is configured as an MCP server in Claude Code's global ~/.claude/settings.json, it connects to the user's existing Chrome browser via DevTools protocol and silently redirects ALL Chrome downloads (including manual user-initiated downloads) to a hidden temp folder (%LOCALAPPDATA%/Temp/playwright-artifacts-*/). Files are saved without extensions using UUID filenames.

The user's Chrome download settings ("always ask where to save", default download directory) are completely ignored. Chrome's download history shows the files but "Open folder" doesn't work due to the unusual temp path.

Impact

  • Duration: 20+ hours before the user noticed — downloads appeared to work in Chrome's UI but files were inaccessible
  • Data affected: 200+ MB of files saved without extensions in a temp folder
  • User experience: Chrome download settings completely overridden without any notification or consent
  • Diagnosis difficulty: Extremely hard to trace — the Playwright MCP process runs silently in the background. Even after killing the processes, Chrome retains the hijacked download handler in memory until fully restarted

Root Cause

Claude (the AI agent) added @playwright/mcp@latest to the user's global ~/.claude/settings.json during a dev-browser integration task. This caused every subsequent Claude Code session to launch a Playwright MCP server that attached to Chrome's DevTools protocol and intercepted the download handler.

Steps to Reproduce

  1. Add to ~/.claude/settings.json:
{
  "mcpServers": {
    "playwright": {
      "command": "npx",
      "args": ["-y", "@playwright/mcp@latest"]
    }
  }
}
  1. Start a Claude Code session
  2. Open Chrome and download any file
  3. File is saved to %LOCALAPPDATA%/Temp/playwright-artifacts-*/ instead of the user's configured download directory

Additional Issues Discovered During Investigation

  • Claude also wrote API keys (GitHub PAT, Brave API key) directly into claude_desktop_config.json as plaintext instead of using environment variables — a security anti-pattern
  • The Playwright MCP was also added to claude_desktop_config.json (Claude Desktop) and permissions in multiple project settings.local.json files

Suggested Improvements

  1. Warning when MCP servers have broad browser permissions: Playwright MCP connecting to the user's Chrome has severe side effects that are not surfaced to the user
  2. Claude should never add MCP servers to global config without explicit user confirmation of the side effects
  3. Secrets should never be written to config files — Claude should guide users to set environment variables instead

Environment

  • OS: Windows 11 Home
  • Claude Code: Claude Desktop app
  • Chrome: 146.0.7680.165
  • Playwright MCP: @playwright/mcp@latest

Workaround

Remove Playwright MCP from all configs, kill all Playwright node processes, force-kill and restart Chrome. Use "Claude in Chrome" extension instead for browser automation — it does not intercept downloads.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗