Is Oculo MCP Server safe to use?

Oculo MCP Server has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.

How do I install Oculo MCP Server?

Oculo MCP Server supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.

What AI clients work with Oculo MCP Server?

Oculo MCP Server is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.

Is Oculo MCP Server actively maintained?

Oculo MCP Server is recently maintained — last commit was 69 days ago. It has 4 GitHub stars.

Oculo MCP Server

electron

AI-powered native browser with 12 MCP tools. ~30 tokens per page.

4 3.8M/wk 0 tools GitHub npm PyPI

No known CVEs

No license

Maintained

Last commit 69d ago

Works with most clients

Transport: stdio, sse, http

0 tools

Grade F

Edit this pageView history

Browser AI / ML

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "oculo": {
      "args": [
        "/path/to/oculo/bin/oculo-mcp.mjs"
      ],
      "command": "node"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/io-github-xidik12-oculo)](https://mcppedia.org/s/io-github-xidik12-oculo)

Read me

What Oculo MCP Server does

Open-source AI browser that gives Claude Code, Cursor, Windsurf, and any MCP client the ability to see and interact with any website. 12 tools, under 300 tokens per flow.

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

npx -y 'electron' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

55/100across 5 weighted dimensions

How we score →

0255075100

−45

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

48 fixed

CVE-2026-34781low · fixedCVSS 3.1

Electron: Crash in clipboard.readImage() on malformed clipboard image data

### Impact Apps that call `clipboard.readImage()` may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process. Apps are only affected if they call `clipboard.readImage()`. Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution. ### Workarounds Validate

Affected: >= 0Fixed in 39.8.5source →

CVE-2026-34765low · fixedCVSS 3.1

Electron: Named window.open targets not scoped to the opener's browsing context

### Impact When a renderer calls `window.open()` with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing context group. A renderer could navigate an existing child window that was opened by a different, unrelated renderer if both used the same target name. If that existing child was created with more permissive `webPreferences` (via `setWindowOpenHandler`'s `overrideBrowserWindowOptions`), content loaded by the second renderer inherits those permissi

Affected: >= 0Fixed in 39.8.5source →

CVE-2026-34764low · fixedCVSS 3.1

Electron: Use-after-free in offscreen shared texture release() callback

### Impact Apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain conditions, the `release()` callback provided on a `paint` event texture can outlive its backing native state, and invoking it after that point dereferences freed memory in the main process, which may lead to a crash or memory corruption. Apps are only affected if they use offscreen rendering with `webPreferences.offscreen: { useSharedTexture: true }`. Apps that do not enab

Affected: >= 33.0.0-alpha.1Fixed in 39.8.5source →

CVE-2026-34780low · fixedCVSS 3.1

Electron: Context Isolation bypass via contextBridge VideoFrame transfer

### Impact Apps that pass `VideoFrame` objects (from the WebCodecs API) across the `contextBridge` are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world (for example, via XSS) can use a bridged `VideoFrame` to gain access to the isolated world, including any Node.js APIs exposed to the preload script. Apps are only affected if a preload script returns, resolves, or passes a `VideoFrame` object to the main world via `contextBridge.exposeInMainWorl

Affected: >= 39.0.0-alpha.1Fixed in 39.8.0source →

CVE-2026-34779low · fixedCVSS 3.1

Electron: AppleScript injection in app.moveToApplicationsFolder on macOS

### Impact On macOS, `app.moveToApplicationsFolder()` used an AppleScript fallback path that did not properly handle certain characters in the application bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the move-to-Applications prompt. Apps are only affected if they call `app.moveToApplicationsFolder()`. Apps that do not use this API are not affected. ### Workarounds There are no app side workarounds, developers

Affected: >= 0Fixed in 38.8.6source →

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is Oculo MCP Server safe to use?: Oculo MCP Server has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.
How do I install Oculo MCP Server?: Oculo MCP Server supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What AI clients work with Oculo MCP Server?: Oculo MCP Server is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.
Is Oculo MCP Server actively maintained?: Oculo MCP Server is recently maintained — last commit was 69 days ago. It has 4 GitHub stars.

Similar servers

Others in browser / ai-ml

View all →

Memory MCP Server98

Persistent memory using a knowledge graph

86.5k 5

Puppeteer MCP Server98

Browser automation with Puppeteer for web scraping and testing

86.5k 5

Sequential Thinking MCP Server98

Dynamic problem-solving through sequential thought chains

86.5k 1

Antigravity Workspace Template96

Workspace template + MCP server for Claude Code, Codex CLI, Cursor & Windsurf. Multi-agent knowledge engine (ag-refresh / ag-ask) that turns any codebase into a queryable AI assistant.

1.2k 2

MCP Security Weekly

Get CVE alerts and security updates for Oculo MCP Server and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?

Edit this pageView history

Browser AI / ML

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "oculo": {
      "args": [
        "/path/to/oculo/bin/oculo-mcp.mjs"
      ],
      "command": "node"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/io-github-xidik12-oculo)](https://mcppedia.org/s/io-github-xidik12-oculo)

Read me

What Oculo MCP Server does

Open-source AI browser that gives Claude Code, Cursor, Windsurf, and any MCP client the ability to see and interact with any website. 12 tools, under 300 tokens per flow.

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

npx -y 'electron' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

README

Oculo

AI-Powered Native Browser

Website · Download · Quick Start · MCP Tools · Contributing

Cursor : VSCode :: Oculo : Chrome

Open-source AI browser that gives Claude Code, Cursor, Windsurf, and any MCP client the ability to see and interact with any website. 12 tools, under 300 tokens per flow.

Why Oculo?

	Feature
Native browser	Full Chromium engine -- not a wrapper, extension, or headless scraper
12 MCP tools	page, act, fill, read, run, media, shell, tabs, research, preview, translate, lens
< 300 tokens/flow	Compact responses by default -- cheaper than screenshot-based approaches
Self-healing automation	Selector caching + DOM diffing -- 44%+ faster on repeated workflows
Multi-provider AI	Built-in chat with Claude, OpenAI, Gemini, Grok, OpenClaw, Ollama
4-level security	auto / notify / confirm / blocked permission gate on every action
OS keychain vault	Credentials encrypted via `electron.safeStorage` (macOS Keychain / Windows DPAPI)
PII redaction	Credit cards, SSNs, JWTs, API keys, Bearer tokens stripped from all MCP responses
Anti-injection	Content boundary markers + regex-based injection detection
19 stealth patches	Navigator, WebGL, canvas, WebRTC, audio, font, battery, screen fingerprint defenses
Headless mode	Run without UI -- Docker support included
Cross-platform	macOS, Windows, Linux
Python SDK	`pip install oculo` -- sync and async clients

Quick Start

Download

Grab the latest release from Releases, or build from source:

git clone https://github.com/xidik12/oculo.git
cd oculo
npm install
npm run dev

Register with Claude Code

claude mcp add oculo -- node ~/oculo/bin/oculo-mcp.mjs

Register with Cursor / Windsurf

Add to your MCP config (.cursor/mcp.json or equivalent):

{
  "mcpServers": {
    "oculo": {
      "command": "node",
      "args": ["/path/to/oculo/bin/oculo-mcp.mjs"]
    }
  }
}

Tools are always discoverable (static definitions in the bridge), but Oculo must be running for tool calls to succeed.

12 MCP Tools

Tool	What it does	Token cost
`page`	Describe current page -- headings, forms, buttons, links. Supports compact, a11y (ref-tagged), and markdown modes	~30-80
`act`	Navigate, click, hover, scroll, type, press keys, login via vault, manage tabs, cookies, proxy, recording	~1 line
`fill`	Fill form fields by label/placeholder matching, optional submit. Handles text, select, checkbox, contenteditable	~1 line
`read`	Extract structured data -- search results, tables, lists, articles	compact
`run`

... View full README on GitHub

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

55/100across 5 weighted dimensions

How we score →

0255075100

−45

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

48 fixed

CVE-2026-34781low · fixedCVSS 3.1

Electron: Crash in clipboard.readImage() on malformed clipboard image data

Affected: >= 0Fixed in 39.8.5source →

CVE-2026-34765low · fixedCVSS 3.1

Electron: Named window.open targets not scoped to the opener's browsing context

Affected: >= 0Fixed in 39.8.5source →

CVE-2026-34764low · fixedCVSS 3.1

Electron: Use-after-free in offscreen shared texture release() callback

Affected: >= 33.0.0-alpha.1Fixed in 39.8.5source →

CVE-2026-34780low · fixedCVSS 3.1

Electron: Context Isolation bypass via contextBridge VideoFrame transfer

Affected: >= 39.0.0-alpha.1Fixed in 39.8.0source →

CVE-2026-34779low · fixedCVSS 3.1

Electron: AppleScript injection in app.moveToApplicationsFolder on macOS

Affected: >= 0Fixed in 38.8.6source →

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is Oculo MCP Server safe to use?: Oculo MCP Server has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.
How do I install Oculo MCP Server?: Oculo MCP Server supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What AI clients work with Oculo MCP Server?: Oculo MCP Server is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.
Is Oculo MCP Server actively maintained?: Oculo MCP Server is recently maintained — last commit was 69 days ago. It has 4 GitHub stars.

Similar servers

Others in browser / ai-ml

View all →

Memory MCP Server98

Persistent memory using a knowledge graph

86.5k 5

Puppeteer MCP Server98

Browser automation with Puppeteer for web scraping and testing

86.5k 5

Sequential Thinking MCP Server98

Dynamic problem-solving through sequential thought chains

86.5k 1

Antigravity Workspace Template96

Workspace template + MCP server for Claude Code, Codex CLI, Cursor & Windsurf. Multi-agent knowledge engine (ag-refresh / ag-ask) that turns any codebase into a queryable AI assistant.

1.2k 2

MCP Security Weekly

Get CVE alerts and security updates for Oculo MCP Server and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?