Tabduct
Allows controlling Brave browser tabs via MCP, including listing, reading content, clicking, typing, and managing tabs in the user's existing session.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Tabductread the content of the active tab"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Tabduct
Give your CLI coding agent a handle on the real browser you're already using — the tabs you're logged into, not a throwaway sandbox.
Tabduct is a tiny, local, agent-agnostic bridge. It exposes your already-open, already-logged-in browser tabs to any agent that speaks the Model Context Protocol (MCP) — Claude Code today; Kilo, OpenCode, Cursor, and anything MCP-capable tomorrow.
No built-in chat. No embedded LLM. No vector DB. No telemetry. No native modules. It does exactly one thing: hand your agent the tab you point it at — under your consent, on your machine only.
CLI agent (Claude Code / Kilo / OpenCode / …)
│ MCP (streamable HTTP, 127.0.0.1) ← standard, language-neutral
▼
Tabduct host (Node · Python · .NET — pick one) ← implements /protocol
│ Chrome Native Messaging (stdio) ← Tabduct wire protocol
▼
Tabduct extension (MV3 background service worker) ← the one shared impl
│ chrome.tabs / chrome.scripting
▼
Your live browser tab (cookies, sessions, DOM)Why Tabduct
Your real session. The agent works with your logged-in tabs — no re-login, no captchas, no throwaway profile.
Local-only & private. Binds
127.0.0.1, guarded by a per-session bearer token. Nothing ever leaves your machine — no server, no telemetry, no external calls.You're always in control. Default-deny consent: share one tab or everything, block- or allow-list origins, read-only mode, auto-expiry, and a visible "⚡" group of shared tabs you can drag in and out.
Agent- and language-agnostic. MCP to the north, a tiny documented wire protocol to the south. One extension is the fixed point; every host is a thin adapter.
Minimal & auditable. Reference host ~1–1.5k lines, zero native dependencies.
Related MCP server: agent-browser-mcp
Quickstart
Runs on macOS, Linux, and Windows, with Chrome, Chromium, Edge, or Brave. Requires Node ≥ 18.
git clone https://github.com/ultrathinker/tabduct.git && cd tabduct
npm install
npm run register # installs the native-messaging manifest for your OS + browser
# other browsers: node hosts/node/bin/tabduct.js register --browser edge|brave|chromiumregister writes the manifest to the right place automatically — ~/Library/Application Support/…/NativeMessagingHosts on macOS, ~/.config/…/NativeMessagingHosts on Linux, or an HKCU registry key on Windows (and makes the launcher executable on POSIX). Then:
Open
chrome://extensions→ enable Developer mode → Load unpacked → select theextension/folder.Click the Tabduct toolbar icon → Connect (the header dot turns green).
Open Settings (⚙) → copy the MCP endpoint and Authorization token.
Paste them into your agent's MCP config (below) and reload the agent.
Share what the agent may touch: Share Current Tab, or Share Everything. That's it.
Diagnose the host anytime with
npm run doctor. In-app help lives under Settings → How it works.
Point your agent at it (MCP)
With the shared hub (on by default), every browser you connect appears behind one stable endpoint with a token that never changes:
{
"mcpServers": {
"tabduct": {
"type": "http",
"url": "http://127.0.0.1:12311/mcp",
"headers": { "Authorization": "Bearer PASTE_TOKEN_FROM_SETTINGS" }
}
}
}Reload your agent and it discovers the Tabduct tools below. (Prefer a direct, per-browser endpoint? Turn the hub off in Settings — the popup then shows that browser's own port and token.)
Tools
Tool | What it does |
| Enumerate / get the focused tab — filtered to shared tabs only |
| Read a shared tab's text/HTML, or a compact outline of its interactive elements |
| Capture the visible tab (returned as an MCP image) |
| Click an element / type into a field, by CSS selector |
| Wait for a selector, URL fragment, or load state (bounded) |
| Point a shared tab at a URL |
| Tab management |
| Read the tab's console output (plus uncaught errors, in CDP mode) |
| Run arbitrary JS in a shared tab — read and modify the page |
Most tools — including click / type / wait_for / get_dom_snapshot — run as
injected functions, so they work even on strict-CSP sites (GitHub, banks, SaaS).
Only arbitrary-string execute_script is blocked by a page's CSP; for that, opt into
CDP mode (see below). Unshared tabs are completely invisible — the agent
can't even read their title.
Security & consent
The endpoint is token-authenticated — not merely bound to localhost (which
every local process shares). On Connect the extension mints a bearer token; the
host requires Authorization: Bearer <token> on every request, rejects
Origin-bearing requests, and pins the Host header (DNS-rebinding defense).
Consent is default-deny and enforced inside the extension (the sole path to the browser). All of these are in the popup:
Origin filter — Block mode (listed sites are never shared) or Allow mode (only listed sites can ever be shared). Overrides every sharing mode.
Lock shared tabs to their domain (default on) — a shared tab that navigates away loses access, so a shared shopping tab can't follow you into your bank.
Read-only — the agent may look but never click, type, navigate, run scripts, or open/close tabs.
Auto-expire — un-shares everything after a chosen time (5 min … 10 h).
Don't auto-share tabs the agent opens (default on).
CDP mode (Advanced, opt-in, default off) — grants the optional
debuggerpermission soexecute_scriptcan bypass a page's CSP, with an optional "developer mode" that routes all eval through it and full console/error capture. Chrome shows a "being debugged" banner while it's in use; still gated by consent (never in read-only).Sharing lives in session storage → it resets when the browser restarts.
The full trust model and honest limitations are in SECURITY.md —
which is also where to report a vulnerability (please don't open a public issue).
Multiple browsers & profiles
Install Tabduct in each Chrome profile you use (each Google account / profile is
separate). Connect each; with the hub on they all sit behind the one endpoint, and
the agent tells them apart by their Label (auto-named like Chrome-abcd —
rename to Work / Personal in Settings).
Two protocols, one extension, many hosts
Tabduct is defined by contracts, not implementations:
North (agent ↔ host): MCP. Already standardized; SDKs for Node, Python, .NET. Nothing to invent.
South (host ↔ extension): the Tabduct wire protocol. Chrome Native Messaging framing + message schema + tool catalog. Specified once in
protocol/— the single source of truth.The extension is the fixed point (it must be JS): it defines what the browser can do; every host is a thin relay of MCP calls to it (~300–500 lines in any language).
Host | Status | Notes |
✅ reference impl | zero native deps, Node ≥ 18, MCP SDK wired, conformance-passing | |
📋 planned | conforms to | |
📋 planned | conforms to |
New languages need no permission — implement protocol/PROTOCOL.md and pass protocol/conformance/.
Project layout
extension/ MV3 extension (the fixed point): consent, sharing, popup, icons
hosts/node/ reference host — CLI (register/doctor/run/instances/hub) + src/
protocol/ PROTOCOL.md + JSON schemas + conformance runners
docs/ ARCHITECTURE, DESIGN-consent-and-multibrowser, ROADMAP
scripts/ consent unit tests, icon/key generatorsRun the full test suite (pure JS, no browser needed): npm test — consent unit
tests + host conformance + hub conformance.
Status
Working reference implementation, pre-1.0. Developed and exercised on Windows;
the macOS/Linux code paths are implemented (per-OS manifest install, POSIX file
modes, launcher chmod) but deserve a smoke test on each before you lean on them.
See docs/ROADMAP.md.
Originality
Tabduct is written from scratch. It reuses no third-party source code — only standard, public interfaces: Chrome's Native Messaging framing (a documented OS transport) and the Model Context Protocol. Nothing here carries a third-party attribution obligation.
License
MIT — see LICENSE.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/ultrathinker/tabduct'
If you have feedback or need assistance with the MCP directory API, please join our Discord server