My safety guard protected 2 tools and trusted the other 20

I maintain an MCP server that lets a coding agent drive your real, logged-in Safari — the same browser where your bank, your email, and your half-written Slack messages live. The whole premise only works if there's one ironclad rule:

The agent may only touch tabs it opened. Never yours.

I wrote that guard early. It was a small function: before any page-mutating action, check that the target tab is one the agent owns. I dropped it into the wrapper that safari_click and safari_fill both flow through, watched the two of them refuse to act on an unowned tab, and moved on feeling responsible.

It took three separate audits to discover that the guard was, for most of its life, decorative.

Round 1: the guard was in a place almost nothing went through

The agent may only touch tabs it opened. Never yours.

It took three separate audits to discover that the guard was, for most of its life, decorative.

Round 1: the guard was in a place almost nothing went through

My safety guard protected 2 tools and trusted the other 20

My safety guard protected 2 tools and trusted the other 20

Related reading

A client-side secret scanner that physically can't exfiltrate your code (and…

The MCP tool you approved might not be the tool running

A PreToolUse hook that sandboxes Claude Code agents by reading what they…

I built a browser security tool that traces attacks back to their source —…

You can't tell if an MCP server is safe before you install it. So I built a…

Safer browser automation with a Puppeteer MCP server

Related reading

A client-side secret scanner that physically can't exfiltrate your code (and…

The MCP tool you approved might not be the tool running

A PreToolUse hook that sandboxes Claude Code agents by reading what they…

I built a browser security tool that traces attacks back to their source —…

You can't tell if an MCP server is safe before you install it. So I built a…

Safer browser automation with a Puppeteer MCP server