Remove DANGEROUSLY_OMIT_AUTH from dev scripts

JLLeitschuh · web-flow · commit 21423c900376 · 2025-10-24T10:42:32.000-07:00
The `DANGEROUSLY_OMIT_AUTH=true` allows any website visited by a developer to maliciously attack the MCP server running locally on the dev machine, achieving remote code execution. https://www.tenable.com/blog/how-tenable-research-discovered-a-critical-remote-code-execution-vulnerability-on-anthropic
diff --git a/packages/agent-infra/mcp-servers/browser/package.json b/packages/agent-infra/mcp-servers/browser/package.json
@@ -37,9 +37,9 @@
   ],
   "scripts": {
     "build": "shx rm -rf dist && rslib build && shx chmod +x dist/*.{js,cjs}",
-    "dev": "DANGEROUSLY_OMIT_AUTH=true npx -y @modelcontextprotocol/inspector tsx src/index.ts",
+    "dev": "npx -y @modelcontextprotocol/inspector tsx src/index.ts",
     "dev:server": "tsx --watch src/index.ts --port 3000 --vision",
-    "dev:vision": "DANGEROUSLY_OMIT_AUTH=true npx -y @modelcontextprotocol/inspector tsx src/index.ts --vision",
+    "dev:vision": "npx -y @modelcontextprotocol/inspector tsx src/index.ts --vision",
     "prepare": "npm run build",
     "prepublishOnly": "tsx scripts/update-readme.ts",
     "test": "vitest run --config=./vitest.config.mts",
