BrowserStack MCP Server
Official BrowserStack MCP server for automated browser/app testing, accessibility scanning, Percy visual testing, self-healing selectors, build insights, RCA, and test management.
Score Breakdown
Server Info
- Package
- @browserstack/mcp-server
- Registry
- npm
- Repository
- browserstack/mcp-server
- Maintainer
- BrowserStackVendor
- Category
- Developer Tools
- Tags
- testingbrowserautomation
- Last Scanned
- 28 May 2026
Findings
11 issuesAuthentication & Identity
CRITICALStdio-only transport - no per-request token support
Stdio-only transport (StdioServerTransport). Authentication requires BROWSERSTACK_USERNAME and BROWSERSTACK_ACCESS_KEY environment variables; both are validated at startup and passed as Basic Auth credentials in all API requests. No HTTP/SSE transport. No MCP OAuth spec (.well-known endpoints not pr... Platform cannot pass per-request tokens; must spawn one server instance per user.
Add HTTP/SSE transport to accept per-request Authorization headers.
HIGHNo MCP OAuth spec implementation
Server does not implement the MCP OAuth authorization server spec. The platform must handle the full OAuth flow, token management, and credential injection externally.
Implement the MCP OAuth spec (.well-known/oauth-authorization-server) for native per-user authentication.
HIGHEnv var credentials with no rotation mechanism
Credentials (BROWSERSTACK_USERNAME, BROWSERSTACK_ACCESS_KEY) are read from environment variables at startup. Rotation requires restarting the server process. All requests share the same service account credential.
Support dynamic credential refresh or secrets manager integration.
Tool Schema Quality
HIGHRequired fields missing on 5 write operations
Write tools without required field declarations: setupBrowserStackAutomateTests, setupPercyVisualTesting, addPercySnapshotCommands, runPercyScan, setupBrowserStackAppAutomateTests.
Add required arrays to all write/delete tool schemas.
MEDIUMOnly 2 of 43 schemas have parameter constraints
Most schemas lack maxLength, enum, or pattern constraints on string parameters.
Add constraints to string parameters, especially on write operations.
Permission Granularity
LOWTool descriptions lack resource scope
Descriptions don't specify what data types or resources they access.
Add resource type statements to descriptions.
LLM Safety
MEDIUM2 tool descriptions are too vague
Short or generic descriptions make tool selection unreliable.
Expand descriptions with specific actions, data types, and side effects.
HIGHTool descriptions contain instructional language
Descriptions include directives that could influence LLM behavior beyond tool selection.
Remove instructional language. Descriptions should be purely factual.
Data Exposure
MEDIUM8 list operations lack pagination
fetchAccessibilityIssues supports cursor-based pagination. listTestCases, listTestRuns, listTestPlans, listSubTestPlans support pagination parameters per their descriptions. listFolders, listTestFiles, and several read tools have no pagination or result caps documented. No field selection support. API responses are returned as-is from BrowserStack APIs. Binary content (screenshots) returned as base64 image content blocks.
Add limit/offset or cursor-based pagination.
LOWNo field selection on responses
Responses return full records rather than projected fields.
Implement field selection to return only relevant fields.
Maintenance & Trust
HIGH17 dependency vulnerabilities (2 critical, 11 high)
npm audit found 2 critical and 11 high severity CVEs.
Run `npm audit fix` and update vulnerable dependencies.
Tools
43 total| Name | Description | Risk |
|---|---|---|
| accessibilityExpert | Agent-mode tool for accessibility/a11y/WCAG questions. Description contains instructional prompt: 'REQUIRED: Use this tool for any accessibility/a11y/WCAG questions. Do NOT answer accessibility questions directly'. | read |
| startAccessibilityScan | Start an accessibility scan on a URL using BrowserStack. | write |
| createAccessibilityAuthConfig | Create an authentication config for protected pages, supports form and basic auth types. | write |
| getAccessibilityAuthConfig | Get an existing accessibility auth config for a project. | read |
| fetchAccessibilityIssues | Fetch accessibility issues for a scan, with cursor-based pagination. | read |
| setupBrowserStackAutomateTests | Set up BrowserStack Automate integration in a project. | write |
| fetchAutomationScreenshots | Fetch and process screenshots from a BrowserStack Automate session. | read |
| percyVisualTestIntegrationAgent | Agent-mode tool for Percy visual testing integration. | read |
| setupPercyVisualTesting | Set up Percy visual testing in a project. | write |
| addPercySnapshotCommands | Add Percy snapshot commands to test files. | write |
| listTestFiles | List test files in a project directory. | read |
| runPercyScan | Run a Percy visual scan. | write |
| fetchPercyChanges | Fetch visual changes detected by Percy. | read |
| managePercyBuildApproval | Approve or reject a Percy build. | write |
| runBrowserLiveSession | Start a browser live (interactive) session on BrowserStack. | write |
| runAppLiveSession | Start an app live (interactive) session on BrowserStack. | write |
| takeAppScreenshot | Take a screenshot from a BrowserStack App Automate session. | read |
| runAppTestsOnBrowserStack | Run mobile app tests on BrowserStack App Automate. | write |
| setupBrowserStackAppAutomateTests | Set up BrowserStack App Automate integration for a project. | write |
| getFailureLogs | Fetch failure logs from a BrowserStack test session. | read |
| fetchBuildInsights | Fetch build insights and analytics for a BrowserStack build. | read |
| fetchRCA | Fetch root cause analysis for a failing test. | read |
| getBuildId | Get the BrowserStack build ID for a given test run. | read |
| listTestIds | List test IDs in a BrowserStack build. | read |
| fetchSelfHealedSelectors | Fetch self-healed CSS/XPath selectors for a BrowserStack session. | read |
| prepareSelfHealingPlan | Generate a self-healing plan for flaky selectors. | read |
| getFailuresInLastRun | Debug failures in the last test run using BrowserStack Observability. Only applicable when browserstack.yml is present. | read |
| createProjectOrFolder | Create a project or folder in BrowserStack Test Management. | write |
| createTestCase | Create a test case in Test Management. | write |
| updateTestCase | Update an existing test case in Test Management. | write |
| listTestCases | List test cases in a project, with optional folder scope and filters including case_type, priority, and pagination. | read |
| listFolders | List folders in a Test Management project. | read |
| createTestRun | Create a test run in Test Management. | write |
| listTestRuns | List test runs in a Test Management project. | read |
| updateTestRun | Update a test run in Test Management. | write |
| addTestResult | Add a test result to a test run. | write |
| uploadProductRequirementFile | Upload a product requirement document for AI test case generation. Uses upload-validator.ts path validation to prevent path traversal. | write |
| createTestCasesFromFile | Generate test cases from an uploaded requirements file. | write |
| createLCASteps | Create low-code automation (LCA) steps for test cases. | write |
| listTestPlans | List test plans in a Test Management project. Supports pagination. | read |
| getTestPlan | Get a specific test plan by ID. | read |
| listSubTestPlans | List sub-test-plans under a parent test plan. Supports pagination. | read |
| getSubTestPlan | Get a specific sub-test-plan. | read |
Deploy BrowserStack MCP Server securely
CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.
Deploy on CompleteFlow