Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"oculo": {
"args": [
"/path/to/oculo/bin/oculo-mcp.mjs"
],
"command": "node"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
Open-source AI browser that gives Claude Code, Cursor, Windsurf, and any MCP client the ability to see and interact with any website. 12 tools, under 300 tokens per flow.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y 'electron' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
Electron: Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow
### Impact Most apps will crash and some may perform incorrect buffer allocations in the Node.js `Buffer` API resulting in unexpected truncation or allocation. ### Workarounds No workarounds. Do not use these impacted Electron releases ### Fixed Versions * `42.3.3` ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org)
Electron: Crash in clipboard.readImage() on malformed clipboard image data
### Impact Apps that call `clipboard.readImage()` may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process. Apps are only affected if they call `clipboard.readImage()`. Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution. ### Workarounds Validate
Electron: Named window.open targets not scoped to the opener's browsing context
### Impact When a renderer calls `window.open()` with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing context group. A renderer could navigate an existing child window that was opened by a different, unrelated renderer if both used the same target name. If that existing child was created with more permissive `webPreferences` (via `setWindowOpenHandler`'s `overrideBrowserWindowOptions`), content loaded by the second renderer inherits those permissi
Electron: Use-after-free in offscreen shared texture release() callback
### Impact Apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain conditions, the `release()` callback provided on a `paint` event texture can outlive its backing native state, and invoking it after that point dereferences freed memory in the main process, which may lead to a crash or memory corruption. Apps are only affected if they use offscreen rendering with `webPreferences.offscreen: { useSharedTexture: true }`. Apps that do not enab
Electron: Context Isolation bypass via contextBridge VideoFrame transfer
### Impact Apps that pass `VideoFrame` objects (from the WebCodecs API) across the `contextBridge` are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world (for example, via XSS) can use a bridged `VideoFrame` to gain access to the isolated world, including any Node.js APIs exposed to the preload script. Apps are only affected if a preload script returns, resolves, or passes a `VideoFrame` object to the main world via `contextBridge.exposeInMainWorl
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in browser / ai-ml
Workspace template + MCP server for Claude Code, Codex CLI, Cursor & Windsurf. Multi-agent knowledge engine (ag-refresh / ag-ask) that turns any codebase into a queryable AI assistant.
The official MCP server implementation for the Perplexity API Platform
Browser automation with Puppeteer for web scraping and testing
Self-hosted URL- and file-to-Markdown service for humans and AI agents - web pages, documents, images, audio, YouTube. PWA + REST + MCP + Claude Code skill, Reddit-aware, refreshable share links.
MCP Security Weekly
Get CVE alerts and security updates for Oculo MCP Server and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
AI-Powered Native Browser
Website · Download · Quick Start · MCP Tools · Contributing
Cursor : VSCode :: Oculo : Chrome
Open-source AI browser that gives Claude Code, Cursor, Windsurf, and any MCP client the ability to see and interact with any website. 12 tools, under 300 tokens per flow.
| Feature | |
|---|---|
| Native browser | Full Chromium engine -- not a wrapper, extension, or headless scraper |
| 12 MCP tools | page, act, fill, read, run, media, shell, tabs, research, preview, translate, lens |
| < 300 tokens/flow | Compact responses by default -- cheaper than screenshot-based approaches |
| Self-healing automation | Selector caching + DOM diffing -- 44%+ faster on repeated workflows |
| Multi-provider AI | Built-in chat with Claude, OpenAI, Gemini, Grok, OpenClaw, Ollama |
| 4-level security | auto / notify / confirm / blocked permission gate on every action |
| OS keychain vault | Credentials encrypted via electron.safeStorage (macOS Keychain / Windows DPAPI) |
| PII redaction | Credit cards, SSNs, JWTs, API keys, Bearer tokens stripped from all MCP responses |
| Anti-injection | Content boundary markers + regex-based injection detection |
| 19 stealth patches | Navigator, WebGL, canvas, WebRTC, audio, font, battery, screen fingerprint defenses |
| Headless mode | Run without UI -- Docker support included |
| Cross-platform | macOS, Windows, Linux |
| Python SDK | pip install oculo -- sync and async clients |
Grab the latest release from Releases, or build from source:
git clone https://github.com/xidik12/oculo.git
cd oculo
npm install
npm run dev
claude mcp add oculo -- node ~/oculo/bin/oculo-mcp.mjs
Add to your MCP config (.cursor/mcp.json or equivalent):
{
"mcpServers": {
"oculo": {
"command": "node",
"args": ["/path/to/oculo/bin/oculo-mcp.mjs"]
}
}
}
Tools are always discoverable (static definitions in the bridge), but Oculo must be running for tool calls to succeed.
| Tool | What it does | Token cost |
|---|---|---|
page | Describe current page -- headings, forms, buttons, links. Supports compact, a11y (ref-tagged), and markdown modes | ~30-80 |
act | Navigate, click, hover, scroll, type, press keys, login via vault, manage tabs, cookies, proxy, recording | ~1 line |
fill | Fill form fields by label/placeholder matching, optional submit. Handles text, select, checkbox, contenteditable | ~1 line |
read | Extract structured data -- search results, tables, lists, articles | compact |
run |