js-reverse-mcp
js-reverse-mcp is an MCP server (TypeScript) that drives a Chrome/Chromium instance to help AI coding assistants inspect and debug JavaScript in web pages. It supports page navigation/context selection, script listing and source retrieval, breakpoints/stepping, function tracing, runtime evaluation at breakpoints, and network/WebSocket inspection. It also supports pre-load script injection. The project documentation highlights use of a stealth/anti-detection browser engine (Patchright) with many stealth settings.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Security posture is weak-to-moderate from the standpoint of agent governance: documentation emphasizes exposing browser content for inspection/modification and includes stealth/anti-bot bypass claims. There is no described authentication/authorization for MCP access, no scope/granularity, and no documented handling for sensitive data. TLS cannot be confirmed from README; it is likely a local/IPC MCP setup, but network transport security is not specified. Anti-detection and injection features increase risk if misused.
⚡ Reliability
Best When
You control the browsing targets (or have authorization), need JS source/function discovery and interactive debugging capabilities from an MCP-capable agent, and can tolerate the operational complexity of running Chrome/DevTools tooling.
Avoid When
You need audited security controls, deterministic behavior, or guaranteed idempotency; or you are dealing with sensitive data where browser content exposure is unacceptable.
Use Cases
- • Reverse engineering and debugging client-side JavaScript behavior on web pages
- • Assisting AI coding assistants with script discovery (loaded scripts, searching minified sources)
- • Tracing function calls and inspecting variables at breakpoints
- • Network and WebSocket investigation during runtime analysis
- • Security research on how front-end code performs encryption/requests (in non-sensitive environments)
Not For
- • Using against pages/systems where automated inspection is prohibited or disallowed
- • Investigating pages containing sensitive personal data, credentials, or protected/regulated content
- • Production-grade monitoring of live sites with strict reliability/SLA requirements
- • Use as a general-purpose remote browser automation service without strong governance
Interface
Authentication
README does not describe authentication/authorization between MCP client and server; access appears to be implicit via who can connect/run the local MCP process.
Pricing
No pricing model described (open-source).
Agent Metadata
Known Gotchas
- ⚠ Operations are stateful and depend on selected page/frame/paused state; agents must maintain context (page/frame IDs, breakpoint IDs, pause/resume sequencing).
- ⚠ Stealth/anti-detection configuration may affect site behavior and can cause inconsistencies across targets.
- ⚠ Network/WebSocket inspection may be timing-sensitive (messages and requests depend on when breakpoints are set).
- ⚠ Running locally via npx/node requires the MCP host to have Node.js and access to a compatible Chrome/Chromium runtime.
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for js-reverse-mcp.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.