Summary
The MCP server sends usage telemetry to Google Clearcut (play.googleapis.com/log) by default, without asking for user consent on first run.
What is sent
- MCP client name (Claude Code, Cursor, Gemini, etc.)
- Tool names invoked (click, take_screenshot, evaluate_script, etc.)
- Success/failure status
- Bucketed latency
- OS and app version
- Session UUID
No page content, URLs, or user data is sent.
Issue
While the data collected is not sensitive, telemetry should follow an opt-in model rather than opt-out, especially for a tool that has access to browser sessions (potentially authenticated pages, internal tools, etc.).
The --no-usage-statistics flag exists but is not documented prominently and is not the default.
Suggestion
- Default to
--no-usage-statistics (opt-in instead of opt-out)
- Or prompt the user on first run to choose
- Or at minimum, display a clear notice at startup that telemetry is active
Found during a security audit of MCP servers.
Summary
The MCP server sends usage telemetry to Google Clearcut (
play.googleapis.com/log) by default, without asking for user consent on first run.What is sent
No page content, URLs, or user data is sent.
Issue
While the data collected is not sensitive, telemetry should follow an opt-in model rather than opt-out, especially for a tool that has access to browser sessions (potentially authenticated pages, internal tools, etc.).
The
--no-usage-statisticsflag exists but is not documented prominently and is not the default.Suggestion
--no-usage-statistics(opt-in instead of opt-out)Found during a security audit of MCP servers.