autopilot-mcp
Provides tools for accessing and managing a Bitwarden vault, including listing logins, filling credentials into forms, generating TOTP codes, creating/updating/deleting entries, and revealing credentials with auditing.
Allows reading SMS verification codes by navigating to the Google Messages web interface.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@autopilot-mcplog into my bank account and show the balance"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
autopilot-mcp
A browser-automation MCP server. It hands an LLM a generic set of browser tools — navigate, screenshot, read text, run JS, click, type — that work on any URL, with each site backed by its own persistent Camoufox browser profile. Logins are filled straight from a Bitwarden vault so passwords never enter the model's context, and any sequence of steps that works can be saved as a "playbook" for one-call replay next time.
Tools
Browser (free-roam)
Each registrable domain (eTLD+1) gets its own persistent browser profile
under data/profiles/<profile>/. navigate(url) auto-derives the profile
from the URL; everything else takes profile explicitly.
Tool | Description |
| Open a URL. Auto-derives profile from eTLD+1 (overridable). Returns visible text. |
| PNG screenshot of the profile's current page. |
| Visible text only — cheaper than a screenshot. |
| Current URL for the profile. |
| Preferred for form fills / button clicks. Selector-based. |
| Click at (x, y). Use when run_js can't target the element. |
| Type into the focused element. |
| Attach a local file to a |
| Scroll up or down. |
For parallel work on the same site, use isolated browser instances — each clones the site's base profile so concurrent sessions don't collide:
Tool | Description |
| Clone a base profile into a temporary isolated browser profile and open a URL. Returns |
| List live spawned instances and TTLs. |
| Close an instance and delete its temporary profile. |
| Browser navigation/inspection scoped to one |
| Page interaction scoped to one |
| Upload/login helpers scoped to one |
Example: spawn_instance(url="https://accounts.google.com/...", clone_from_profile="google.com")
lets each Gmail cleanup branch use its own cloned Google session. Always call
close_instance(instance_id) when the branch is finished; timed-out instances
are also cleaned up automatically.
Credentials (Bitwarden, fill-don't-reveal)
Tool | Description |
| Search the vault. Returns id/name/urls/username — never passwords. |
| Inject creds from Bitwarden straight into form fields. Password never returns. |
| Current 6-digit TOTP from Bitwarden (single source of truth). |
| New vault entry. Refuses name collision. |
| Patch fields on an existing entry. |
| Create-or-update by (url, username). The signup convenience path. |
| Send to Bitwarden trash. Requires |
| ESCAPE HATCH — returns plaintext. Requires |
Local file server (uploads)
For sites that ask the user to upload a local file. Two paths:
Standard
<input type="file">— useattach_file(profile, selector, path). Works even when the input is hidden inside a custom dropzone widget; target the input itself, not the visible drop area.Pure-JS uploader (no real input element) — use the local CORS file server below. The MCP publishes the file at an unguessable URL on
127.0.0.1; the LLM usesrun_jstofetch()it inside the page, wrap the Blob in aFile, and dispatch a syntheticdropevent (or set it on a hidden input viaDataTransfer).
Tool | Description |
| Publish a local file at |
| List currently-published files. |
| Revoke a token immediately. |
Security envelope: server binds 127.0.0.1 only; tokens are uuid4 hex (122
bits of entropy); one token = one file path (no directory traversal); idle
entries reaped on every request. Override the bind via
AUTOPILOT_FILE_SERVER_HOST / AUTOPILOT_FILE_SERVER_PORT env vars.
Playbooks
Tool | Description |
| List saved playbooks (filter by |
| Execute a playbook. Returns screenshots/text from observation steps. |
| Save a step sequence. Call after a successful task. |
| Remove a broken playbook. |
| List run-ledger entries (one record per execution), newest first; filter by name/success. |
| Fetch one run ledger's full JSON by |
Related MCP server: Playwrightium
Workflow
list_playbooks(url_match)— is there already a playbook for this task?run_playbook(name)— if yes, run it. Done.Otherwise:
navigate(url)→screenshot/get_text→run_js/click/type_text.On a login page:
fill_login(url)— Bitwarden injects creds directly. If the form needs 2FA:get_totp(vault_item)thentype_text(profile, code).For SMS 2FA:
navigate("https://messages.google.com/web/")and read the code from Google Messages.After the task succeeds,
save_playbook(...)so next time is one call.Just signed up somewhere new?
upsert_login(url, username, password)stores it and Bitwarden sync pushes to your other devices.
Credentials setup (Bitwarden)
The MCP unlocks Bitwarden with a master password stashed in the OS keyring
(DPAPI-encrypted on Windows, scoped to your user). On each start it pulls the
master password from the keyring, runs bw unlock --raw, and caches the
session token in RAM only — idle-expires after 15 minutes, re-locks on
shutdown. The master password never lands on disk outside the OS keyring, and
never enters the model's context.
One-time setup for a fresh machine, top to bottom:
1. Install the Bitwarden CLI
winget install --id Bitwarden.CLI --accept-source-agreements --accept-package-agreementswinget puts bw.exe on PATH via a shim — open a new shell afterward so the
update takes effect. (No winget? npm install -g @bitwarden/cli, or grab a
binary from https://bitwarden.com/download/.) Verify:
bw --version # e.g. 2026.3.0
bw status # {"status":"unauthenticated", ...}2. Log in
Interactive — only your terminal sees the master password.
bw loginPrompts for email, master password, and a two-step token. On success
bw status reports "status":"locked" — leave it locked; the MCP unlocks on
demand.
3. Stash the master password in the OS keyring
Keep it out of .env and off the command line. After uv sync, stash it at
the hidden prompt:
uv run python -c "import keyring, getpass; keyring.set_password('autopilot-mcp', 'bw_master', getpass.getpass('Master password: ')); print('stored')"This writes to service autopilot-mcp, username bw_master. Confirm without
printing the value:
uv run python -c "import keyring; v = keyring.get_password('autopilot-mcp', 'bw_master'); print(f'present={v is not None} length={len(v) if v else 0} backend={keyring.get_keyring().__class__.__name__}')"
# present=True length=<your pw length> backend=WinVaultKeyring4. Smoke-test the unlock loop
Runs the real path — keyring read, bw unlock, list, lock — without printing
the password:
uv run python -c "
import json, os, subprocess, keyring
pw = keyring.get_password('autopilot-mcp', 'bw_master')
assert pw, 'keyring empty'
subprocess.run(['bw', 'sync'], check=True)
u = subprocess.run(['bw', 'unlock', '--raw', '--passwordenv', 'BW_PW'],
env={**os.environ, 'BW_PW': pw}, capture_output=True, text=True, check=True)
session = u.stdout.strip()
items = json.loads(subprocess.run(['bw', 'list', 'items', '--search', 'example',
'--session', session],
capture_output=True, text=True, check=True).stdout)
print(f'vault items matching \"example\": {len(items)}')
subprocess.run(['bw', 'lock', '--session', session], check=True)
"If it completes without errors, setup is done.
Maintenance
Rotate the master password — re-stash; the entry is overwritten in place:
uv run python -c "import keyring, getpass; keyring.set_password('autopilot-mcp', 'bw_master', getpass.getpass('New master password: '))"Remove the keyring entry (the MCP then fails at startup until restored):
uv run python -c "import keyring; keyring.delete_password('autopilot-mcp', 'bw_master')"bwfell off PATH — open a new shell (winget's PATH update doesn't reach already-open shells); if still missing, re-run the install from step 1.Force a full re-sync —
bw sync --force. The MCP runsbw syncafter every write, so this is only needed if the vault was edited elsewhere and you want the in-RAM cache to refresh before idle expiry.Log out —
bw logoutdrops the account from localbwstate; repeat steps 2–3 to restore.
Initial browser session setup
Each profile gets one persistent browser profile the first time it's opened. For sites where you want the session pre-established (to handle 2FA challenges / "remember me" outside the MCP flow):
uv run python scripts/manual_login.py <url>A visible Camoufox window opens at the URL. Log in, complete 2FA, check
"remember me", close the window. The profile at data/profiles/<eTLD+1>/
persists across headless MCP invocations.
Environment variables
All optional — defaults are sane for local use.
Variable | Default | Description |
|
| Set |
|
| Per-page navigation/action timeout, in ms. |
|
| Wall-clock cap on a single tool call. |
|
| Wall-clock cap on a |
|
| Timeout for a single |
|
| Bind interface for the local file server. |
|
| Bind port for the local file server ( |
|
|
|
|
| Root log level for all |
| — | Override the Bitwarden CLI data directory (standard |
Credentials are pulled from Bitwarden — there are no per-site username/password environment variables.
Development
uv sync --extra dev
uv run camoufox fetch
uv run ruff check .
uv run pytest
uv run python server.py # stdio modeThis server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/TylerFlar/autopilot-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server