Autopilot
БесплатноНе проверенA browser-automation MCP server providing persistent browser profiles per domain, Bitwarden credential injection without exposing passwords, and playbook record
Описание
A browser-automation MCP server providing persistent browser profiles per domain, Bitwarden credential injection without exposing passwords, and playbook recording/replay for repeatable tasks.
README
A browser-automation MCP server. It hands an LLM a generic set of browser tools — navigate, screenshot, read text, run JS, click, type — that work on any URL, with each site backed by its own persistent Camoufox browser profile. Logins are filled straight from a Bitwarden vault so passwords never enter the model's context, and any sequence of steps that works can be saved as a "playbook" for one-call replay next time.
Tools
Browser (free-roam)
Each registrable domain (eTLD+1) gets its own persistent browser profile
under data/profiles/<profile>/. navigate(url) auto-derives the profile
from the URL; everything else takes profile explicitly.
| Tool | Description |
|---|---|
navigate |
Open a URL. Auto-derives profile from eTLD+1 (overridable). Returns visible text. |
screenshot |
PNG screenshot of the profile's current page. |
get_text |
Visible text only — cheaper than a screenshot. |
get_url |
Current URL for the profile. |
run_js |
Preferred for form fills / button clicks. Selector-based. |
click |
Click at (x, y). Use when run_js can't target the element. |
type_text |
Type into the focused element. |
attach_file |
Attach a local file to a <input type="file"> (incl. hidden inputs). |
scroll |
Scroll up or down. |
For parallel work on the same site, use isolated browser instances — each clones the site's base profile so concurrent sessions don't collide:
| Tool | Description |
|---|---|
spawn_instance |
Clone a base profile into a temporary isolated browser profile and open a URL. Returns instance_id. |
list_instances |
List live spawned instances and TTLs. |
close_instance |
Close an instance and delete its temporary profile. |
instance_navigate / instance_screenshot / instance_get_text / instance_get_url |
Browser navigation/inspection scoped to one instance_id. |
instance_run_js / instance_click / instance_type_text / instance_scroll |
Page interaction scoped to one instance_id. |
instance_attach_file / instance_fill_login |
Upload/login helpers scoped to one instance_id. |
Example: spawn_instance(url="https://accounts.google.com/...", clone_from_profile="google.com")
lets each Gmail cleanup branch use its own cloned Google session. Always call
close_instance(instance_id) when the branch is finished; timed-out instances
are also cleaned up automatically.
Credentials (Bitwarden, fill-don't-reveal)
| Tool | Description |
|---|---|
list_logins |
Search the vault. Returns id/name/urls/username — never passwords. |
fill_login |
Inject creds from Bitwarden straight into form fields. Password never returns. |
get_totp |
Current 6-digit TOTP from Bitwarden (single source of truth). |
create_login |
New vault entry. Refuses name collision. |
update_login |
Patch fields on an existing entry. |
upsert_login |
Create-or-update by (url, username). The signup convenience path. |
delete_login |
Send to Bitwarden trash. Requires confirm=True. |
reveal_credentials |
ESCAPE HATCH — returns plaintext. Requires reason, audited. |
Local file server (uploads)
For sites that ask the user to upload a local file. Two paths:
- Standard
<input type="file">— useattach_file(profile, selector, path). Works even when the input is hidden inside a custom dropzone widget; target the input itself, not the visible drop area. - Pure-JS uploader (no real input element) — use the local CORS file
server below. The MCP publishes the file at an unguessable URL on
127.0.0.1; the LLM usesrun_jstofetch()it inside the page, wrap the Blob in aFile, and dispatch a syntheticdropevent (or set it on a hidden input viaDataTransfer).
| Tool | Description |
|---|---|
serve_local_file |
Publish a local file at http://127.0.0.1:<port>/file/<token> with CORS. Returns url, token, content_type, size, expires_at. TTL default 30 min. |
list_served_files |
List currently-published files. |
unserve_local_file |
Revoke a token immediately. |
Security envelope: server binds 127.0.0.1 only; tokens are uuid4 hex (122
bits of entropy); one token = one file path (no directory traversal); idle
entries reaped on every request. Override the bind via
AUTOPILOT_FILE_SERVER_HOST / AUTOPILOT_FILE_SERVER_PORT env vars.
Playbooks
| Tool | Description |
|---|---|
list_playbooks |
List saved playbooks (filter by start_url substring). |
run_playbook |
Execute a playbook. Returns screenshots/text from observation steps. |
save_playbook |
Save a step sequence. Call after a successful task. |
delete_playbook |
Remove a broken playbook. |
playbook_run_list |
List run-ledger entries (one record per execution), newest first; filter by name/success. |
playbook_run_get |
Fetch one run ledger's full JSON by run_id. |
Workflow
list_playbooks(url_match)— is there already a playbook for this task?run_playbook(name)— if yes, run it. Done.- Otherwise:
navigate(url)→screenshot/get_text→run_js/click/type_text. - On a login page:
fill_login(url)— Bitwarden injects creds directly. If the form needs 2FA:get_totp(vault_item)thentype_text(profile, code). - For SMS 2FA:
navigate("https://messages.google.com/web/")and read the code from Google Messages. - After the task succeeds,
save_playbook(...)so next time is one call. - Just signed up somewhere new?
upsert_login(url, username, password)stores it and Bitwarden sync pushes to your other devices.
Credentials setup (Bitwarden)
The MCP unlocks Bitwarden with a master password stashed in the OS keyring
(DPAPI-encrypted on Windows, scoped to your user). On each start it pulls the
master password from the keyring, runs bw unlock --raw, and caches the
session token in RAM only — idle-expires after 15 minutes, re-locks on
shutdown. The master password never lands on disk outside the OS keyring, and
never enters the model's context.
One-time setup for a fresh machine, top to bottom:
1. Install the Bitwarden CLI
winget install --id Bitwarden.CLI --accept-source-agreements --accept-package-agreements
winget puts bw.exe on PATH via a shim — open a new shell afterward so the
update takes effect. (No winget? npm install -g @bitwarden/cli, or grab a
binary from https://bitwarden.com/download/.) Verify:
bw --version # e.g. 2026.3.0
bw status # {"status":"unauthenticated", ...}
2. Log in
Interactive — only your terminal sees the master password.
bw login
Prompts for email, master password, and a two-step token. On success
bw status reports "status":"locked" — leave it locked; the MCP unlocks on
demand.
3. Stash the master password in the OS keyring
Keep it out of .env and off the command line. After uv sync, stash it at
the hidden prompt:
uv run python -c "import keyring, getpass; keyring.set_password('autopilot-mcp', 'bw_master', getpass.getpass('Master password: ')); print('stored')"
This writes to service autopilot-mcp, username bw_master. Confirm without
printing the value:
uv run python -c "import keyring; v = keyring.get_password('autopilot-mcp', 'bw_master'); print(f'present={v is not None} length={len(v) if v else 0} backend={keyring.get_keyring().__class__.__name__}')"
# present=True length=<your pw length> backend=WinVaultKeyring
4. Smoke-test the unlock loop
Runs the real path — keyring read, bw unlock, list, lock — without printing
the password:
uv run python -c "
import json, os, subprocess, keyring
pw = keyring.get_password('autopilot-mcp', 'bw_master')
assert pw, 'keyring empty'
subprocess.run(['bw', 'sync'], check=True)
u = subprocess.run(['bw', 'unlock', '--raw', '--passwordenv', 'BW_PW'],
env={**os.environ, 'BW_PW': pw}, capture_output=True, text=True, check=True)
session = u.stdout.strip()
items = json.loads(subprocess.run(['bw', 'list', 'items', '--search', 'example',
'--session', session],
capture_output=True, text=True, check=True).stdout)
print(f'vault items matching \"example\": {len(items)}')
subprocess.run(['bw', 'lock', '--session', session], check=True)
"
If it completes without errors, setup is done.
Maintenance
- Rotate the master password — re-stash; the entry is overwritten in place:
uv run python -c "import keyring, getpass; keyring.set_password('autopilot-mcp', 'bw_master', getpass.getpass('New master password: '))" - Remove the keyring entry (the MCP then fails at startup until restored):
uv run python -c "import keyring; keyring.delete_password('autopilot-mcp', 'bw_master')" bwfell off PATH — open a new shell (winget's PATH update doesn't reach already-open shells); if still missing, re-run the install from step 1.- Force a full re-sync —
bw sync --force. The MCP runsbw syncafter every write, so this is only needed if the vault was edited elsewhere and you want the in-RAM cache to refresh before idle expiry. - Log out —
bw logoutdrops the account from localbwstate; repeat steps 2–3 to restore.
Initial browser session setup
Each profile gets one persistent browser profile the first time it's opened. For sites where you want the session pre-established (to handle 2FA challenges / "remember me" outside the MCP flow):
uv run python scripts/manual_login.py <url>
A visible Camoufox window opens at the URL. Log in, complete 2FA, check
"remember me", close the window. The profile at data/profiles/<eTLD+1>/
persists across headless MCP invocations.
Environment variables
All optional — defaults are sane for local use.
| Variable | Default | Description |
|---|---|---|
HEADLESS |
true |
Set "false" to show the browser window for debugging. |
BROWSER_TIMEOUT |
30000 |
Per-page navigation/action timeout, in ms. |
AUTOPILOT_TOOL_TIMEOUT_SECONDS |
60 |
Wall-clock cap on a single tool call. |
AUTOPILOT_PLAYBOOK_TIMEOUT_SECONDS |
300 |
Wall-clock cap on a run_playbook call. |
AUTOPILOT_BW_TIMEOUT_SECONDS |
45 |
Timeout for a single bw CLI invocation. |
AUTOPILOT_FILE_SERVER_HOST |
127.0.0.1 |
Bind interface for the local file server. |
AUTOPILOT_FILE_SERVER_PORT |
0 |
Bind port for the local file server (0 = ephemeral). |
AUTOPILOT_LOG_JSON |
false |
"true" for JSON logs; otherwise human-readable console output. |
AUTOPILOT_LOG_LEVEL |
INFO |
Root log level for all autopilot.* loggers. |
BITWARDENCLI_APPDATA_DIR |
— | Override the Bitwarden CLI data directory (standard bw variable). |
Credentials are pulled from Bitwarden — there are no per-site username/password environment variables.
Development
uv sync --extra dev
uv run camoufox fetch
uv run ruff check .
uv run pytest
uv run python server.py # stdio mode
Установка Autopilot
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/TylerFlar/autopilot-mcpFAQ
Autopilot MCP бесплатный?
Да, Autopilot MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Autopilot?
Нет, Autopilot работает без API-ключей и переменных окружения.
Autopilot — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить Autopilot в Claude Desktop, Claude Code или Cursor?
Открой Autopilot на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
Playwright
Browser automation, scraping, screenshots
автор: MicrosoftPuppeteer
Browser automation and web scraping.
автор: modelcontextprotocolopentabs-dev/opentabs
Plugin-based MCP server + Chrome extension that gives AI agents access to web applications through the user's authenticated browser session. 100+ plugins with a
автор: opentabs-devrobhunter/agentdeals
1,500+ developer infrastructure deals, free tiers, and startup programs across 54 categories. Search deals, compare vendors, plan stacks, and track pricing chan
автор: robhunterCompare Autopilot with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории browse
