webmcp-security
Implement WebMCP security best practices — permission model, data minimization, honest descriptions, input validation, fingerprinting prevention, and fraud mitigation. Use when auditing or hardening WebMCP tool implementations.
Best use case
webmcp-security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Implement WebMCP security best practices — permission model, data minimization, honest descriptions, input validation, fingerprinting prevention, and fraud mitigation. Use when auditing or hardening WebMCP tool implementations.
Teams using webmcp-security should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/webmcp-security/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How webmcp-security Compares
| Feature / Agent | webmcp-security | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Implement WebMCP security best practices — permission model, data minimization, honest descriptions, input validation, fingerprinting prevention, and fraud mitigation. Use when auditing or hardening WebMCP tool implementations.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# WebMCP Security
## Before writing code
**Fetch live docs**:
1. Fetch `https://webmachinelearning.github.io/webmcp/` for security-related sections of the specification
2. Web-search `webmcp security privacy permission model` for security architecture details
3. Web-search `site:github.com mcp-b security` for polyfill security guidelines
4. Web-search `webmcp fingerprinting data minimization` for privacy best practices
## Conceptual Architecture
### Permission-First Design
WebMCP's security model is **permission-first**:
1. The site defines what tools exist (tool registration)
2. The browser mediates — prompts the user before allowing agent invocation
3. The user grants or denies permission per tool or per session
4. Annotations (`destructiveHint`, `readOnlyHint`) inform browser permission decisions
5. Tools execute within the page's secure context (same-origin, HTTPS required)
### Threat Model
| Threat | Description | Mitigation |
|--------|-------------|------------|
| **Deceptive tool descriptions** | Tool named "addToCart" actually charges the user | Honest descriptions; browser/audit verification |
| **Agent hallucination** | Agent calls wrong tool or passes bad parameters | Schema validation; user confirmation for high-risk tools |
| **Over-parameterization** | Tool requests excessive personal data from agent | Data minimization; server-side session lookups |
| **Fingerprinting** | Tool parameters reveal user attributes | Minimal input schemas; avoid asking for identity data |
| **Rapid automation abuse** | Agent makes rapid repeated transactions | Server-side rate limiting; CAPTCHA for bulk operations |
| **Cross-origin data leak** | Tool exposes data from another origin | Same-origin enforcement; browser sandboxing |
| **Session hijacking** | Tool's session exploited by malicious agent | Standard CSRF protection; secure cookie flags |
| **Prompt injection** | Malicious content in tool results manipulates agent | Output sanitization; structured JSON responses |
### Honest Descriptions
Tool descriptions are a critical security surface:
- Agents rely on descriptions to decide which tools to use
- A malicious site could expose `addToCart` that actually calls `placeOrder`
- Descriptions MUST accurately reflect what the tool does
- Include side effects: "Adds item to cart AND applies default shipping"
- Include limitations: "Only works for in-stock items"
### Data Minimization
Minimize the data tools request from agents:
**Bad — over-parameterized:**
```js
// DON'T: asking agent to supply user's personal data
inputSchema: {
properties: {
userId: { type: "string" },
email: { type: "string" },
shippingAddress: { type: "object" },
creditCardLast4: { type: "string" }
}
}
```
**Good — minimal, server-side lookup:**
```js
// DO: only take what's needed, look up user data server-side
inputSchema: {
properties: {
productId: { type: "string" },
quantity: { type: "integer" }
}
}
// execute callback uses session cookies to identify the user server-side
```
### Input Validation
Always validate tool input:
- JSON Schema validation happens at the browser level before `execute` is called
- Add server-side validation in your API endpoints — don't trust client-side schema alone
- Sanitize string inputs to prevent XSS or injection attacks
- Validate IDs against actual database records
- Reject unexpected fields or overly long values
### Rate Limiting
Protect against agent abuse:
- Implement server-side rate limits on APIs called by tools
- Limit transactions per session (e.g., max 5 orders per hour)
- Use CAPTCHA or user interaction for bulk operations
- Monitor for anomalous patterns (rapid-fire tool calls)
### Audit Logging
Log all agent interactions:
- Tool name, input parameters (sanitized), timestamp
- User session identity
- Whether user interaction was requested and the user's response
- Tool result status (success, failure, canceled)
- Agent identifier if available
### Liability Considerations
- If an agent mistakenly places an order, who is responsible?
- WebMCP's human-in-the-loop design and confirmation prompts help
- Always require `requestUserInteraction` for financial actions
- Log user approvals as evidence of consent
- Consider displaying pending agent actions as reversible/draft before committing
### Best Practices Checklist
- [ ] All tool descriptions accurately match behavior
- [ ] No sensitive data in input schemas (no passwords, SSNs, full card numbers)
- [ ] `destructiveHint` set on all financial/irreversible tools
- [ ] `requestUserInteraction` used for purchases, deletions, and account changes
- [ ] Server-side input validation on all API endpoints
- [ ] Rate limiting on APIs called by tools
- [ ] Audit logging for all tool invocations
- [ ] CSRF tokens included in POST requests
- [ ] Sensitive tools only registered for authenticated users
- [ ] `clearContext()` called on logout
Fetch the specification for the latest security requirements, permission model details, and browser enforcement behavior before auditing.Related Skills
woo-security
Implement WooCommerce security — nonces, capabilities, input sanitization, output escaping, data validation, PCI compliance considerations, and WordPress security best practices. Use when hardening a WooCommerce store or reviewing security posture.
webmcp-user-interaction
Implement human-in-the-loop flows with requestUserInteraction() — confirmation dialogs, approval workflows, and user prompts during tool execution. Use when building tools that require user consent before performing actions.
webmcp-tool-schemas
Design JSON Schemas for WebMCP tool inputs and outputs — proper types, constraints, nested objects, and agent-friendly documentation. Use when defining or refining tool schemas for agent consumption.
webmcp-tool-annotations
Implement WebMCP tool annotations — readOnlyHint, destructiveHint, idempotentHint safety hints that inform browser permission prompts and agent behavior. Use when marking tools with appropriate safety metadata.
webmcp-testing
Test WebMCP tools with AI agents — Chrome DevTools integration, agent testing workflows, tool discovery verification, and end-to-end commerce flow testing. Use when validating that tools work correctly with real AI agents.
webmcp-setup
Set up a WebMCP project — enable Chrome flags, install MCP-B polyfill, scaffold tool registration, and configure development environment. Use when starting a new WebMCP-enabled website from scratch.
webmcp-register-tool
Implement the WebMCP Imperative API — register tools via navigator.modelContext.registerTool() with proper schemas, execute callbacks, and lifecycle management. Use when building dynamic tool registration in JavaScript.
webmcp-polyfill
Set up and use the MCP-B polyfill — vanilla JS and React packages that implement navigator.modelContext for browsers without native WebMCP. Use when developing for browsers that don't yet support WebMCP natively.
webmcp-mcp-bridge
Integrate WebMCP client-side tools with backend MCP servers and UCP endpoints — bridge browser-based agent interactions with server-to-server protocols. Use when connecting front-end WebMCP to existing backend API infrastructure.
webmcp-context-provider
Implement the WebMCP provideContext API — bulk tool registration, contextual metadata, page state sharing, and dynamic context updates. Use when providing rich context and multiple tools to agents simultaneously.
webmcp-commerce-tools
Implement commerce-specific WebMCP tools — product search, cart management, checkout, returns, subscriptions, and support. Use when building agentic shopping experiences on e-commerce websites.
webmcp-authentication
Implement WebMCP authentication patterns — browser session inheritance, cookie-based auth, role-gated tool registration, and conditional tool exposure. Use when managing which tools are available based on user authentication state.