{
  "slug": "hyperbrowser",
  "tool_id": "npm/hyperbrowser-mcp",
  "verdict_url": "/verdict/hyperbrowser",
  "verdict_content_hash": "sha256:ca6e556b244015131248c2692422ef6724ca89f37e32ab93f11807f993714619",
  "version": "1.0.25",
  "commit": "",
  "dist_shasum": "e48e67a378396d39f6f5b8c91183adf5215e86d0",
  "scanned_at": "2026-06-14T00:00:00Z",
  "capture_self_test": "verified — a beacon decoy was emitted from the tool's network context; its presence in the intercept means a 'no egress' result would have been trustworthy.",
  "method": "Installed and run in an isolated container; fed traceable decoy data; all outbound traffic intercepted (TLS broken via own CA, iptables transparent redirect). Endpoints, resolved geo/jurisdiction and frequency are observed facts. Capture self-test passed.",
  "request_count": 8,
  "captured_requests": [
    {
      "method": "POST",
      "scheme": "https",
      "host": "app.hyperbrowser.ai",
      "path": "/api/extract",
      "headers": {
        "x-api-key": "canary-dummy",
        "content-type": "application/json",
        "Accept": "*/*",
        "Content-Length": "254",
        "User-Agent": "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)",
        "Accept-Encoding": "gzip,deflate",
        "Host": "app.hyperbrowser.ai",
        "Connection": "keep-alive"
      },
      "body_redacted": "{\"urls\":[\"http://canary-directed-e525e270.trace.invalid/canary-e525e270-url-df1fe862b7b4\"],\"sessionOptions\":{\"useProxy\":false,\"useStealth\":false,\"solveCaptchas\":false,\"acceptCookies\":false},\"prompt\":\"FILE-CONTENT::canary-e525e270-file-123d591ce014::END\"}",
      "blocked": true,
      "tls_inspected": true
    },
    {
      "method": "POST",
      "scheme": "https",
      "host": "app.hyperbrowser.ai",
      "path": "/api/task/browser-use",
      "headers": {
        "x-api-key": "canary-dummy",
        "content-type": "application/json",
        "Accept": "*/*",
        "Content-Length": "176",
        "User-Agent": "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)",
        "Accept-Encoding": "gzip,deflate",
        "Host": "app.hyperbrowser.ai",
        "Connection": "keep-alive"
      },
      "body_redacted": "{\"task\":\"FILE-CONTENT::canary-e525e270-file-123d591ce014::END\",\"sessionOptions\":{\"useProxy\":false,\"useStealth\":false,\"solveCaptchas\":false,\"acceptCookies\":false},\"maxSteps\":25}",
      "blocked": true,
      "tls_inspected": true
    },
    {
      "method": "POST",
      "scheme": "https",
      "host": "app.hyperbrowser.ai",
      "path": "/api/task/cua",
      "headers": {
        "x-api-key": "canary-dummy",
        "content-type": "application/json",
        "Accept": "*/*",
        "Content-Length": "176",
        "User-Agent": "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)",
        "Accept-Encoding": "gzip,deflate",
        "Host": "app.hyperbrowser.ai",
        "Connection": "keep-alive"
      },
      "body_redacted": "{\"task\":\"FILE-CONTENT::canary-e525e270-file-123d591ce014::END\",\"sessionOptions\":{\"useProxy\":false,\"useStealth\":false,\"solveCaptchas\":false,\"acceptCookies\":false},\"maxSteps\":25}",
      "blocked": true,
      "tls_inspected": true
    },
    {
      "method": "POST",
      "scheme": "https",
      "host": "app.hyperbrowser.ai",
      "path": "/api/task/claude-computer-use",
      "headers": {
        "x-api-key": "canary-dummy",
        "content-type": "application/json",
        "Accept": "*/*",
        "Content-Length": "176",
        "User-Agent": "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)",
        "Accept-Encoding": "gzip,deflate",
        "Host": "app.hyperbrowser.ai",
        "Connection": "keep-alive"
      },
      "body_redacted": "{\"task\":\"FILE-CONTENT::canary-e525e270-file-123d591ce014::END\",\"sessionOptions\":{\"useProxy\":false,\"useStealth\":false,\"solveCaptchas\":false,\"acceptCookies\":false},\"maxSteps\":25}",
      "blocked": true,
      "tls_inspected": true
    },
    {
      "method": "POST",
      "scheme": "https",
      "host": "app.hyperbrowser.ai",
      "path": "/api/extract",
      "headers": {
        "x-api-key": "canary-dummy",
        "content-type": "application/json",
        "Accept": "*/*",
        "Content-Length": "787",
        "User-Agent": "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)",
        "Accept-Encoding": "gzip,deflate",
        "Host": "app.hyperbrowser.ai",
        "Connection": "keep-alive"
      },
      "body_redacted": "{\"urls\":[\"https://www.bing.com/search?q=FILE-CONTENT::canary-e525e270-file-123d591ce014::END\"],\"sessionOptions\":{\"useProxy\":false,\"useStealth\":false,\"solveCaptchas\":false,\"acceptCookies\":false,\"adblock\":true},\"prompt\":\"Extract the top 10 search results from this page.\",\"schema\":{\"type\":\"object\",\"properties\":{\"allSearchResults\":{\"type\":\"array\",\"items\":{\"type\":\"object\",\"properties\":{\"title\":{\"type\":\"string\",\"description\":\"The title of the search result\"},\"url\":{\"type\":\"string\",\"description\":\"The URL of the search result\"},\"snippet\":{\"type\":\"string\",\"description\":\"The snippet of the search result\"}},\"required\":[\"title\",\"url\",\"snippet\"],\"additionalProperties\":false}}},\"required\":[\"allSearchResults\"],\"additionalProperties\":false,\"$schema\":\"http://json-schema.org/draft-07/schema#\"}}",
      "blocked": true,
      "tls_inspected": true
    },
    {
      "method": "POST",
      "scheme": "https",
      "host": "app.hyperbrowser.ai",
      "path": "/api/profile",
      "headers": {
        "x-api-key": "canary-dummy",
        "content-type": "application/json",
        "Accept": "*/*",
        "Content-Length": "0",
        "User-Agent": "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)",
        "Accept-Encoding": "gzip,deflate",
        "Host": "app.hyperbrowser.ai",
        "Connection": "keep-alive"
      },
      "body_redacted": "",
      "blocked": true,
      "tls_inspected": true
    },
    {
      "method": "DELETE",
      "scheme": "https",
      "host": "app.hyperbrowser.ai",
      "path": "/api/profile/FILE-CONTENT::canary-e525e270-file-123d591ce014::END",
      "headers": {
        "x-api-key": "canary-dummy",
        "content-type": "application/json",
        "Accept": "*/*",
        "User-Agent": "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)",
        "Accept-Encoding": "gzip,deflate",
        "Host": "app.hyperbrowser.ai",
        "Connection": "keep-alive"
      },
      "body_redacted": "",
      "blocked": true,
      "tls_inspected": true
    },
    {
      "method": "GET",
      "scheme": "https",
      "host": "app.hyperbrowser.ai",
      "path": "/api/profiles",
      "headers": {
        "x-api-key": "canary-dummy",
        "content-type": "application/json",
        "Accept": "*/*",
        "User-Agent": "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)",
        "Accept-Encoding": "gzip,deflate",
        "Host": "app.hyperbrowser.ai",
        "Connection": "keep-alive"
      },
      "body_redacted": "",
      "blocked": true,
      "tls_inspected": true
    }
  ],
  "reproduce": {
    "scanner": "canary-sandbox (open methodology; Docker backend)",
    "command": "python -m canary.cli scan <target> --backend docker   # target: npm hyperbrowser-mcp@1.0.25",
    "note": "Re-run it yourself: the scanner installs the pinned version, drives the tool over MCP, and intercepts all egress."
  },
  "note": "Raw captured outbound requests from one sandbox run (identifiers/keys redacted). This is the underlying observation behind the verdict — re-run the scan to verify.",
  "verification": "verdict_content_hash = sha256 over the canonical verdict JSON; dist_shasum = the npm tarball checksum of the pinned version. Signed artifacts + an append-only immutable log are on the roadmap (toward independent verifiability).",
  "verdict_signature": "ed25519:U1+/ON4GE9WtOLhhtdosRPdRok9MF2Dh/oHmp22cm9mo8TbSxxAFArZtWs3OdYGbIQ1MrM3PL4EsJ/irV3wWAw=="
}