72
/ 100
18 days ago
glama

PixelCheck

An MCP server that gives AI agents real browser capabilities including screenshotting, action execution, data extraction, and multi-persona auditing for frontend validation.

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

M8ven verifies MCPs across every public registry β€” install directly from whichever one you prefer.

// key findings
🚨
Secret credentials may flow to a network call
1 flow detected: TELEGRAM_BOT_TOKEN. We can’t prove the destination matches the brand the credential belongs to.
⚠️
Known vulnerabilities in dependencies: 2 high
Affects packages this MCP installs at runtime. Upgrade or remove the affected dependency.
πŸ”
You'll be asked for 3 credentials: ANTHROPIC_API_KEY, STRIPE_TEST_PUBLISHABLE_KEY, TELEGRAM_BOT_TOKEN
These are read from process.env at runtime. Make sure you trust where they’ll be sent.
// known CVEs in dependencies2 high2 low

Disclosed vulnerabilities in this server's declared npm dependencies (via OSV). Whether each is reachable depends on the installed versions.

highplaywright@1.49.0GHSA-7mvr-c777-76hp

Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate

highws@8.20.0GHSA-96hv-2xvq-fx4p

ws: Memory exhaustion DoS from tiny fragments and data chunks

ws: Uninitialized memory disclosure

lowyaml@2.6.0GHSA-48c2-rrv3-qjmp

yaml is vulnerable to Stack Overflow via deeply nested YAML collections

Depend on this server? Get alerted when its CVEs change.Watch this server free β†’
// required environment variables
This server reads these from process.env. You'll be asked to provide them before it can run.
πŸ” secretANTHROPIC_API_KEYβ€” "env": { "": "sk-ant-..." }
configAUDIT_ACTS_DIR
configAUDIT_AUTO_CONSENTβ€” 1 env or --auto-consent flag (read [PRIVACY.md](PRIVACY.md) first).
configAUDIT_COMPARES_DIR
configAUDIT_COST_GUARD_DISABLEDβ€” unset 1 / true to bypass entirely (CI / tests)
configAUDIT_COST_LEDGER_PATHβ€” Per-day β€” UTC-day total persisted across processes in a JSON ledger (default ~/.pixelcheck/cost-ledger.json, override via ).
configAUDIT_COST_MODE
configAUDIT_DEBUG
configAUDIT_DEBUG_LOG
configAUDIT_DIAGNOSE_DIR
configAUDIT_EXTRACTS_DIR
configAUDIT_HOME
configAUDIT_JUDGES_DIR
configAUDIT_MEMORY_DISABLED
configAUDIT_MEMORY_PATH
configAUDIT_PLAN_CACHE_DISABLED
configAUDIT_PLAN_CACHE_PATH
configAUDIT_REDACT_INPUTS
configAUDIT_RESULT_CACHE_DISABLEDβ€” unset 1 / true to bypass entirely (read = miss, write = no-op)
configAUDIT_RESULT_CACHE_PATHβ€” ~/.pixelcheck/result-cache.db SQLite path; isolate per environment
configAUDIT_SEES_DIR
configAUDIT_VENDOR_DRIFT_OK
configAUDIT_VENDOR_DRIFT_SKIP_IF_MISSING
configHTTPS_PROXY
configLOG_FILEβ€” /path/to.log unset Additionally tee logs to a file
configLOG_LEVELβ€” trace, debug, info, warn, error, fatal, silent info Minimum log level
configLOG_PRETTYβ€” 1, true, 0, false, auto auto Force pretty-print or JSON; auto decides by TTY
configMAIL_TM_BASE
configNO_PROXY
configOLLAMA_BASE_URL
configOLLAMA_CHAT_MODEL
configOLLAMA_MODEL
configPIXELCHECK_ALLOW_PRIVATE
configPIXELCHECK_DEBUG_LOG
configPIXELCHECK_HOME
configPIXELCHECK_LLM_FALLBACK
configPIXELCHECK_LLM_PROVIDER
configPIXELCHECK_LLM_TIMEOUT_MS
configPIXELCHECK_MAX_RETRIES
configPIXELCHECK_SKIP_BROWSER_DOWNLOADβ€” ignore-scripts, an offline box, or =1 β€”
configPIXELCHECK_STAGEHAND_INIT_TIMEOUT_MS
configPIXELCHECK_UNIT_DEADLINE_MS
configPIXELCHECK_VERBOSITY
configPLAYWRIGHT_BROWSERS_PATH
configPLAYWRIGHT_SKIP_BROWSER_DOWNLOAD
configSCAMLENS_ADMIN_COOKIE
configSLACK_WEBHOOK
configSTEALTH_CORE_SRC
configSTRIPE_TEST_CARD_CVC
configSTRIPE_TEST_CARD_EXP
configSTRIPE_TEST_CARD_NUMBER
πŸ” secretSTRIPE_TEST_PUBLISHABLE_KEY
πŸ” secretTELEGRAM_BOT_TOKEN
configTELEGRAM_CHAT_ID
confighttps_proxy
configno_proxy
// full audit trail
The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.
// improvement guidance β€” verified publishers only
We have 3 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.
// embed badge in your README
[![M8ven Score](https://m8ven.ai/badge/mcp/xcodethink-pixelcheck-1naitm)](https://m8ven.ai/mcp/xcodethink-pixelcheck-1naitm)
commit: 7452440f5cf038ebf14d8fbb2d07beb0fbeaac94
code hash: 397ecd4cbba928389b9156b9bc40917c461581e5831e9851076f1f7fefb658e0
verified: 6/16/2026, 1:28:38 PM
view raw JSON β†’
PixelCheck Β· M8ven Trust Score | M8ven