Skip to content

Commit 6d402a8

Browse files
committed
docs(skill): default --block-private-networks for agent-driven examples
Adds a new Security section to SKILL.md and turns --block-private-networks on by default in every canonical command across MCP, CLI, and CDP. The flag already exists in the Lightpanda binary — this is a docs/defaults change, not a feature. Threat model ============ Lightpanda executes page JavaScript. A skill specifically marketed for agent integrations (Claude Code, Openclaw, others — per the README) is going to feed it URLs that originate outside the agent's control: search-result links, redirects, page-internal fetch calls, embedded <iframe> srcs. Any of those can resolve to localhost, RFC1918 ranges, or cloud-metadata endpoints (169.254.169.254 etc.). This is plain old SSRF — the only novelty is the agent context, which makes it more likely the user didn't manually vet the URL. --block-private-networks is the kernel-level IP filter Lightpanda already provides for exactly this case: it inspects post-DNS destination IPs and rejects anything in private ranges, regardless of what triggered the request (page JS, redirect chain, subresource). Changes ======= - New 'Security: block private networks for agent-driven use' section between Install and 'When to Use What', explaining the threat model. - Flag added to: claude mcp add, MCP JSON args, lead + 3 follow-up CLI fetch examples, canonical lightpanda serve command. - --block-private-networks + --block-cidrs documented in CLI fetch options list with brief descriptions and a back-link to Security. - --block-private-networks documented in CDP serve options list. - One-paragraph callout under canonical serve command explaining CDP has the same SSRF surface as MCP/CLI flows. - scripts/install.sh: final Run with: echo updated to match new canonical command. Users with legitimate need to hit private hosts (own dev server, staging behind VPN, intranet docs) just drop the flag — explicit guidance for when that's appropriate is included throughout.
1 parent bc562f3 commit 6d402a8

2 files changed

Lines changed: 19 additions & 8 deletions

File tree

SKILL.md

Lines changed: 18 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,10 @@ If issues persist after updating, open a GitHub issue at https://github.com/ligh
3434
- The script or MCP tool call that reproduces the issue
3535
- The target URL and expected vs actual results
3636

37+
## Security: block private networks for agent-driven use
38+
39+
Lightpanda executes page JavaScript, so a malicious page reached via an agent-supplied URL (search-result link, redirect, JS-driven `fetch`, etc.) can issue requests to `localhost`, RFC1918 ranges, and cloud-metadata endpoints (e.g. `169.254.169.254`). When using Lightpanda for untrusted browsing — web search, link-following, arbitrary page automation — always pass `--block-private-networks` so the kernel-level IP filter rejects those requests after DNS resolution, regardless of what triggered them. The MCP/CLI/CDP examples below include the flag; drop it only when you intentionally need to reach a private host (e.g. scraping your own dev server). For finer control, combine with `--block-cidrs` to allow specific addresses (`--block-cidrs -10.0.0.42/32`) or block additional ranges.
40+
3741
## When to Use What
3842

3943
Lightpanda offers three interfaces. Choose based on your needs:
@@ -51,7 +55,7 @@ The MCP server is the simplest way for agents to use Lightpanda. It exposes purp
5155
### Setup for Claude Code
5256

5357
```bash
54-
claude mcp add lightpanda -- $HOME/.local/bin/lightpanda mcp
58+
claude mcp add lightpanda -- $HOME/.local/bin/lightpanda mcp --block-private-networks
5559
```
5660

5761
### Setup for other MCP clients
@@ -63,7 +67,7 @@ Add to your MCP client configuration:
6367
"mcpServers": {
6468
"lightpanda": {
6569
"command": "$HOME/.local/bin/lightpanda",
66-
"args": ["mcp"]
70+
"args": ["mcp", "--block-private-networks"]
6771
}
6872
}
6973
}
@@ -111,7 +115,7 @@ A typical agent workflow:
111115
For one-off page extraction without starting a server:
112116

113117
```bash
114-
$HOME/.local/bin/lightpanda fetch --dump markdown --wait-until networkidle https://example.com
118+
$HOME/.local/bin/lightpanda fetch --block-private-networks --dump markdown --wait-until networkidle https://example.com
115119
```
116120

117121
### Options
@@ -122,22 +126,26 @@ $HOME/.local/bin/lightpanda fetch --dump markdown --wait-until networkidle https
122126
- `--strip-mode` — Remove tag groups from output: `js`, `css`, `ui`, `full` (comma-separated)
123127
- `--with-frames` — Include iframe contents in the dump
124128
- `--obey-robots` — Fetch and obey robots.txt
129+
- `--block-private-networks` — Drop requests to private/internal IPs (recommended for untrusted URLs; see [Security](#security-block-private-networks-for-agent-driven-use))
130+
- `--block-cidrs CIDR[,CIDR...]` — Block (or, with `-` prefix, allow) specific CIDR ranges; combinable with the flag above
125131

126132
### Examples
127133

134+
All examples below keep `--block-private-networks` on by default — see [Security](#security-block-private-networks-for-agent-driven-use). Drop it only when you're intentionally targeting a private host you control.
135+
128136
Extract page as markdown:
129137
```bash
130-
$HOME/.local/bin/lightpanda fetch --dump markdown https://example.com
138+
$HOME/.local/bin/lightpanda fetch --block-private-networks --dump markdown https://example.com
131139
```
132140

133141
Extract semantic tree (compact, AI-friendly):
134142
```bash
135-
$HOME/.local/bin/lightpanda fetch --dump semantic_tree_text --wait-until networkidle https://example.com
143+
$HOME/.local/bin/lightpanda fetch --block-private-networks --dump semantic_tree_text --wait-until networkidle https://example.com
136144
```
137145

138146
Fetch with longer wait for slow pages:
139147
```bash
140-
$HOME/.local/bin/lightpanda fetch --dump html --wait-ms 10000 --wait-until networkidle https://example.com
148+
$HOME/.local/bin/lightpanda fetch --block-private-networks --dump html --wait-ms 10000 --wait-until networkidle https://example.com
141149
```
142150

143151
## CDP Server — Advanced Automation
@@ -146,13 +154,16 @@ For full browser control via Playwright or Puppeteer:
146154

147155
### Start the Browser Server
148156
```bash
149-
$HOME/.local/bin/lightpanda serve --host 127.0.0.1 --port 9222
157+
$HOME/.local/bin/lightpanda serve --host 127.0.0.1 --port 9222 --block-private-networks
150158
```
151159

160+
The canonical command keeps `--block-private-networks` on — see [Security](#security-block-private-networks-for-agent-driven-use). CDP is one of the documented automation paths, and a Playwright/Puppeteer client driving the browser at agent-supplied URLs has the same SSRF surface as MCP/CLI flows. Drop the flag only when you're driving the browser at private hosts you control (your own dev server, staging behind a VPN).
161+
152162
Options:
153163
- `--log-level info|debug|warn|error` — Set logging verbosity
154164
- `--log-format pretty|logfmt` — Output format for logs
155165
- `--obey-robots` — Fetch and obey robots.txt
166+
- `--block-private-networks` — Drop page-initiated requests to private/internal IPs. Kept on in the canonical command above; omit only when driving the browser at your own internal targets.
156167

157168
### Using with playwright-core
158169

scripts/install.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -132,4 +132,4 @@ fi
132132
echo ""
133133
echo "=== Setup Complete ==="
134134
echo "Binary location: $INSTALL_DIR/$BINARY_NAME"
135-
echo "Run with: lightpanda serve --host 127.0.0.1 --port 9222"
135+
echo "Run with: lightpanda serve --host 127.0.0.1 --port 9222 --block-private-networks"

0 commit comments

Comments
 (0)