Add webmcp gen skill#133
Conversation
|
Standards-conformance pass on Pushed
Audited, no changes needed:
Left for the author:
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
# Conflicts: # README.md
| warnings.push(`Tool "${tool.name}" may contain Playwright-style code; WebMCP implementations run in the page.`); | ||
| } | ||
| if (implementationSource.includes("eval(") || implementationSource.includes("new Function")) { | ||
| errors.push(`Tool "${tool.name}" uses eval/new Function.`); |
There was a problem hiding this comment.
Substring blocks valid source
Low Severity
Static checks reject implementation.source when it merely contains the substrings eval( or new Function, including inside string literals or comments. Legitimate defensive error text can fail compile even though SKILL.md only forbids actually calling those APIs.
Reviewed by Cursor Bugbot for commit 1cdef7c. Configure here.
There was a problem hiding this comment.
Acknowledged — leaving as-is for now (recommend won't-fix, your call @shrey150). This is a deliberately conservative safety guard: implementation.source is injected into the page and run, so over-blocking anything that looks like eval(/new Function is safer than risking a false negative that lets a real call through. Distinguishing a real call from the same text inside a string/comment would require full JS parsing (AST), which is disproportionate for a Low-severity heuristic. The false-positive is rare (you'd have to literally put eval( or new Function in your in-page source text) and easy to reword. Happy to switch to a word-boundary regex or AST check if you'd prefer.
…rText
Address Cursor Bugbot review on validate.mjs:
- Empty manifest tools array no longer reports "passed" (vacuous every()
+ 0===0 length check); now pushes an explicit error and requires >0 tools.
- A tool returning { success: false } with an empty errorText is now stored
as an error and fails validation (|| fallback instead of ?? on "").
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Address Cursor Bugbot: parseSlug accepted a ".." segment (e.g. "../task"), and artifactDirFor resolves with path.resolve, so scaffold could write outside the artifacts/ tree. Now each slug segment must match ^[A-Za-z0-9][A-Za-z0-9._-]*$, rejecting ".." and leading-dot segments. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Address Cursor Bugbot: a manifest with missing/null `tools` made `manifest.tools.length` throw after the try/finally, crashing before eval.json/eval-report.md were written. Now validate early-returns a written "failed" report when `tools` is not an array. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using default effort and found 3 potential issues.
There are 4 total unresolved issues (including 1 from previous review).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit c4b9560. Configure here.
… tool-list timeout Address Cursor Bugbot: - scaffold.mjs toolNameFor now slices to compile.mjs's 1-80 char limit so a long slug can't scaffold a manifest that then fails compile. - validate.mjs listWebMCPTools timeout 1000ms -> 5000ms so slow page loads don't false-report tools as unregistered (example uses the default wait). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Match the create-browser-app / browserbase/templates convention (TS examples run with tsx). The generator now writes stagehand-example.ts (no shebang); package.json adds tsx/typescript/@types/node devDeps; SKILL.md documents `npx tsx stagehand-example.ts` and points to `npx create-browser-app` for turning the demo into a standalone project. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
3 participants
Summary
webmcp-genskill that authors site-specific WebMCP tools: write amanifest.jsonfor a target URL, compile it to awebmcp.init.jsinit script, and validate that Chrome actually registers and invokes the tools.scaffold.mjs(creates the artifact dir + starter manifest),compile.mjs(manifest → init script),generate-stagehand-example.mjs(runnable example), andvalidate.mjs(drives Chrome with--enable-features=WebMCPTesting,DevToolsWebMCPSupportvia local Stagehand and checks registration + invocation against fixture input).browseCLI (browse open --local,browse snapshot,browse get ...); the manifest is the source of truth and the agent iterates on it fromeval.json/eval-report.mdoutput.{ success: false, error }handling, no secrets/eval).E2E Test Matrix
cd <skill dir> && pnpm installPackages: +234...+ @browserbasehq/stagehand 3.6.0-alpha-fd42e65.../Done in 1.7s using pnpm v10.21.0node scripts/scaffold.mjs example.com/page-context --url https://example.comCreated WebMCP artifact at <artifact dir>; startermanifest.json(914 B) with anexample_com_page_contexttool,inputSchema,implementation.source, andfixtureInputmatching the SKILL.md manifest contractbrowse open https://example.com --local→browse snapshot/browse get title/browse get url/browse get text body→browse stop{"mode": "managed-local", ..., "title": "Example Domain"}; snapshot a11y tree showedheading: Example Domain, intro paragraph,link: Learn more→https://iana.org/domains/example;{"stopped": true}browseand yield enough structure to author the manifest. Only the documented read-only commands were used.manifest.json(authored from exploration), thennode scripts/compile.mjs <artifact dir>Compiled WebMCP artifact at <artifact dir>;webmcp.init.jsproduced (2628 B)sourcewith defensive missing-element handling) and emits the init script. Manifest-schema rejection paths not exercised.node scripts/generate-stagehand-example.mjs <artifact dir>Generated Stagehand example at <artifact dir>/stagehand-example.ts, wired toenv: "LOCAL"with the WebMCP Chrome flags and the manifest's expected tools/fixturesnode scripts/validate.mjs <artifact dir>Validation passed: <artifact dir>/- example_com_page_context: found=true invoked=true status=Completed;eval.jsonstatus: "passed"with real invocation output:{"title": "Example Domain", "url": "https://example.com/", "heading": "Example Domain", "intro": "This domain is for use in documentation...", "link": {"text": "Learn more", "href": "https://iana.org/domains/example"}}and the fixtureechoround-tripped;eval-report.mdwrittennpx tsx <artifact dir>/stagehand-example.tsFound 1 WebMCP tools:...Invocation result for example_com_page_context:"status": "Completed","success": truewith live page payload (title: "Example Domain",url, …).tsexample runs standalone viatsx(the create-browser-app/templates runner), reusing the skill's installed Stagehand. Re-verified after the.mjs→.tsswitch.🤖 Generated with Claude Code
Note
Low Risk
Additive skill and docs with local-only browser validation; no changes to existing runtime paths. Main caveat is reliance on a pinned Stagehand alpha and WebMCP Chrome flags.
Overview
Adds a new
webmcp-genskill and registers it in the Claude plugin marketplace and README. Agents can scaffold per-site artifacts (<domain>/<task>), author amanifest.json, compilewebmcp.init.js, and validate registration/invocation in local Chrome via Stagehand with WebMCP testing flags.The pipeline is four Node scripts:
scaffold.mjs(starter manifest + slug validation),compile.mjs(manifest → init script with timeouts, top-frame-only registration, and static checks foreval/Playwright-style code),generate-stagehand-example.mjs(runnable demo), andvalidate.mjs(lists/invokes tools against fixture input and writeseval.json/eval-report.md).SKILL.mddocuments the workflow, manifest contract, and in-page authoring rules (browser APIs only, no secrets). The skill pins@browserbasehq/stagehandviapackage.jsonandpnpm-lock.yaml.Reviewed by Cursor Bugbot for commit 031ecb9. Bugbot is set up for automated code reviews on this repo. Configure here.