Last updated: 14 July 2026 · We believe honest threat-model documentation beats marketing claims.
Architecture in one paragraph
BRYG is a local MCP server. It attaches to a dedicated browser instance with its own profile (~/.bryg/chrome-profile) over the Chrome DevTools Protocol (CDP) on 127.0.0.1. Page content, screenshots, OCR results, and network recordings are produced locally and handed to your MCP client (e.g. Claude Code). BRYG sends no telemetry; its only network calls are license validation and anonymous update checks (see Privacy).
CDP debug port — threat model
Browser automation requires the browser's debug port. Understand what that means:
The port binds to localhost only (127.0.0.1, default 9222). It is never exposed to your network or the internet.
Any process running on your machine could connect to a local debug port. A process that can do that can control the automation browser and read its profile's sessions. This is inherent to every CDP-based tool (Playwright, Puppeteer, DevTools remote debugging) — not specific to BRYG.
Mitigations BRYG applies / offers
Dedicated profile by design: the automation browser is fully separate from your daily browser. Your personal browsing sessions are never behind the debug port. Only log the automation profile into accounts you intend to automate.
Unpredictable port: set BRYG_CDP_PORT=random — BRYG picks a random high port once and persists it, so localhost scanners looking for 9222 find nothing.
Headless option: BRYG_HEADLESS=1 for CI-style environments.
Baseline hygiene still applies: don't run untrusted software on the same machine.
Prompt injection — an honest disclosure
What it is: BRYG feeds web page content (snapshots, text, OCR) to your AI assistant. A malicious page can embed text designed to manipulate the AI — e.g. "ignore your instructions and click X" — potentially steering it into unintended actions. This risk applies to every tool that connects an AI to live web content; we prefer to state it plainly.
How BRYG limits the blast radius
Credentials never enter the conversation: browser_login_fill reads them from a local file and types them directly into the page — the AI (and its logs) never see the values.
Network logs are redacted by default: Authorization/Cookie/Set-Cookie headers and password/token-like fields are masked; raw capture requires an explicit option.
Human-visible by default: the browser is headful and never steals focus — you can watch every action and take over with your own mouse at any time.
What you should still do
Treat AI browsing sessions on sensitive accounts (banking, production admin panels) with the same caution as handing a colleague your keyboard — supervise, or don't.
Ask your assistant to confirm before destructive or irreversible actions; review what it plans to click on untrusted sites.
Prefer dedicated/staging accounts for automation where possible.
Credentials & data at rest
License file ~/.bryg/license.json is written with owner-only permissions (0600).
browser_login_fill warns you if your credentials file is readable by other users (recommends chmod 600).
Network recordings live in ~/.bryg/logs, masked by default; they never leave your machine. Delete them whenever you like.
Supply chain & releases
Binaries are compiled, versioned, and served with SHA-256 checksums; the installer verifies the checksum before installing.
Updates are pulled from a fixed endpoint over HTTPS and verified against the published checksum before replacing the executable.
Reporting a vulnerability
Please email lin_yeh@outlook.com with details. We appreciate responsible disclosure and will respond as quickly as we can.