Security model
Scout's security posture comes from explicit connector boundaries, identity-aware MCP requests, durable browser session lifecycle, and a clear distinction between hosted automation and extension-backed real-browser control.
Security principles
Scout exposes powerful tools, so the security model starts by making capability, identity, runtime, and budget boundaries visible.
Connector isolation
Scout separates browser, Node, system, Figma, canvas, payment, extension, agent, and orchestration tools into capability-owned MCP servers. A client only receives the tools exposed by the connector server it configures.
Authenticated MCP access
Hosted connector requests must resolve identity before execution. OAuth-capable MCP clients use sign-in, while Scout access tokens are explicit fallback credentials for non-interactive MCP clients. Extension model routing uses the user's configured AI provider key.
Segmented identity
Public bearer auth exposes userId and workerId to the request boundary. Raw token subjects stay inside verification code and do not leak into connector-facing APIs.
Explicit browser context
The extension is used when an agent needs a user's real browser state. It connects to Scout's Mastra server and uses the user's chosen AI provider key, while hosted browser connector sessions remain a separate MCP-client path for cleaner automation.
Credit-gated execution
Connector execution hydrates credit balance at request time and meters tool usage by operation. Budget limits stop execution instead of allowing silent overrun.
Durable session lifecycle
Long-lived browser work is tied to durable session registration and streaming lifecycle, so cleanup, tailing, and reconnect behavior have explicit boundaries.
Permission scoping
Extension permissions are only relevant to the extension runtime. Configuring a connector MCP server does not require users to grant browser extension permissions unless the workflow needs real-browser control.
Deterministic error handling
Failed operations should return visible errors instead of silently falling back to another model, runtime, or identity. Scout treats surprise success as a security and debugging risk.
Extension permissions
The extension path is for real-browser workflows. These permissions do not apply to hosted connector MCP clients unless you choose to install the extension.
debuggerAttach CDP sessions to browser tabs.
Used for: Required for the browser tools that inspect pages and drive tabs through Chrome DevTools Protocol.
Exposure: High power, but attached one session at a time instead of running as broad page access.
tabsRead open tab titles and URLs.
Used for: Used to list tabs and let the extension attach the right session to the right window.
Exposure: Metadata only. It does not grant page DOM access by itself.
activeTabAccess the current tab on user gesture.
Used for: Lets Scout work against the tab the user explicitly opened the extension from.
Exposure: Only the active tab, and only after user invocation.
storageStore local settings and session state.
Used for: Persists connection details, preferences, and recent extension state across restarts.
Exposure: Stored in the browser profile. Not synced to Scout servers by the permission itself.
identityStart the browser OAuth flow for sign-in.
Used for: Used for account linking and user authentication inside the extension path.
Exposure: Standard browser OAuth flow. Scout does not receive raw provider passwords.
clipboardRead/WriteRead or write the system clipboard.
Used for: Powers the clipboard tool when an agent explicitly needs copy or paste behavior.
Exposure: Only used when a workflow invokes that tool directly.
scriptingInject scripts into the current page.
Used for: Supports in-page helpers and extension features that need to run against the active document.
Exposure: Limited to the page context being worked on, not blanket background scraping.
sidePanelShow the side-panel interface.
Used for: Provides the extension UI for status, monitoring, and controls.
Exposure: Visual surface only. It does not widen data access on its own.
cookiesRead or write browser cookies.
Used for: Needed only for the cookie management tool and authenticated browser-state workflows.
Exposure: Sensitive capability, but exercised per tool call rather than through bulk export behavior.
webNavigationObserve page navigation events.
Used for: Tracks lifecycle changes so sessions can react to loads, redirects, and completion state.
Exposure: Event observation only. It does not grant content extraction by itself.
contextMenusAdd actions to the browser context menu.
Used for: Lets users trigger Scout actions from right-click surfaces when that shortcut is useful.
Exposure: Menu surface only. No additional data access comes from the menu itself.
downloadsMonitor and manage downloads.
Used for: Supports download-aware workflows that need to wait for or manage files created during automation.
Exposure: Tied to download operations rather than unrestricted file-system access.
notificationsSend browser notifications.
Used for: Used for visible completion and error alerts.
Exposure: User-visible messaging only.
tabGroupsOrganize tabs into groups.
Used for: Helps keep multi-session runs readable inside the user’s browser.
Exposure: Tab organization only. No added content access.
Threat model
Known attack vectors, scenarios of concern, and the mitigations Scout applies.
A web page or prompt attempts to convince an agent to use tools outside the intended task boundary.
MitigationsA leaked or replayed credential is used to call a hosted connector.
MitigationsAn agent loop consumes browser, Node, or host-machine tool calls unexpectedly.
MitigationsA workflow accidentally operates against personal tabs or cookies when an isolated browser session would have been safer.
MitigationsSecurity disclosure
If you discover a security vulnerability in Scout, please report it via responsible disclosure. We aim to respond within 48 hours and provide a fix within 14 days for critical issues.
security@scout.i.ng