{"id":"zhizhuodemao-js-reverse-mcp","name":"js-reverse-mcp","homepage":null,"repo_url":"https://github.com/zhizhuodemao/js-reverse-mcp","category":"devtools","subcategories":[],"tags":["mcp","devtools","debugging","javascript","reverse-engineering","browser-automation","stealth","playwright","chromium","cdp","ai-agent"],"what_it_does":"js-reverse-mcp is an MCP server (TypeScript) that drives a Chrome/Chromium instance to help AI coding assistants inspect and debug JavaScript in web pages. It supports page navigation/context selection, script listing and source retrieval, breakpoints/stepping, function tracing, runtime evaluation at breakpoints, and network/WebSocket inspection. It also supports pre-load script injection. The project documentation highlights use of a stealth/anti-detection browser engine (Patchright) with many stealth settings.","use_cases":["Reverse engineering and debugging client-side JavaScript behavior on web pages","Assisting AI coding assistants with script discovery (loaded scripts, searching minified sources)","Tracing function calls and inspecting variables at breakpoints","Network and WebSocket investigation during runtime analysis","Security research on how front-end code performs encryption/requests (in non-sensitive environments)"],"not_for":["Using against pages/systems where automated inspection is prohibited or disallowed","Investigating pages containing sensitive personal data, credentials, or protected/regulated content","Production-grade monitoring of live sites with strict reliability/SLA requirements","Use as a general-purpose remote browser automation service without strong governance"],"best_when":"You control the browsing targets (or have authorization), need JS source/function discovery and interactive debugging capabilities from an MCP-capable agent, and can tolerate the operational complexity of running Chrome/DevTools tooling.","avoid_when":"You need audited security controls, deterministic behavior, or guaranteed idempotency; or you are dealing with sensitive data where browser content exposure is unacceptable.","alternatives":["chrome-devtools-mcp / other MCP wrappers for Chrome DevTools Protocol","Playwright + custom MCP/agent bridge for targeted debugging","Puppeteer/Playwright with a dedicated API layer (internal tooling) rather than MCP","Generic DevTools Protocol clients (CDP) with your own agent integration"],"af_score":58.8,"security_score":34.2,"reliability_score":27.5,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T13:27:25.203719+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":null,"has_sdk":false,"sdk_languages":[],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["None specified (runs locally via npx/node; communicates with MCP client over the MCP transport)."],"oauth":false,"scopes":false,"notes":"README does not describe authentication/authorization between MCP client and server; access appears to be implicit via who can connect/run the local MCP process."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"No pricing model described (open-source)."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":58.8,"security_score":34.2,"reliability_score":27.5,"mcp_server_quality":75.0,"documentation_accuracy":70.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":90.0,"rate_limit_clarity":5.0,"tls_enforcement":60.0,"auth_strength":20.0,"scope_granularity":10.0,"dependency_hygiene":55.0,"secret_handling":35.0,"security_notes":"Security posture is weak-to-moderate from the standpoint of agent governance: documentation emphasizes exposing browser content for inspection/modification and includes stealth/anti-bot bypass claims. There is no described authentication/authorization for MCP access, no scope/granularity, and no documented handling for sensitive data. TLS cannot be confirmed from README; it is likely a local/IPC MCP setup, but network transport security is not specified. Anti-detection and injection features increase risk if misused.","uptime_documented":0.0,"version_stability":45.0,"breaking_changes_history":40.0,"error_recovery":25.0,"idempotency_support":"false","idempotency_notes":"Many operations are inherently stateful (create/select page, set/remove breakpoints, inject scripts, run/step). No explicit idempotency guarantees are described.","pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["Operations are stateful and depend on selected page/frame/paused state; agents must maintain context (page/frame IDs, breakpoint IDs, pause/resume sequencing).","Stealth/anti-detection configuration may affect site behavior and can cause inconsistencies across targets.","Network/WebSocket inspection may be timing-sensitive (messages and requests depend on when breakpoints are set).","Running locally via npx/node requires the MCP host to have Node.js and access to a compatible Chrome/Chromium runtime."]}}