software

Bypassing AI Web Sandbox with WebSockets & Retro Browsers

Published: (January 17, 2026 at 07:54 PM EST)
2 min read
Source: Dev.to

Source: Dev.to

Setup Overview

I built a setup using Tampermonkey userscripts (MCP_v6_FULL_UNBLOCK.js and Gemini MCP v0.6) that inject JavaScript into the web interfaces for Claude, Gemini, and ChatGPT. The scripts intercept special commands (e.g., /[mcp] dir C:\ or /[mcp] Get-Process) and forward them via WebSocket to a local Node.js server.

Tampermonkey Userscripts

  • MCP_v6_FULL_UNBLOCK.js
  • Gemini MCP v0.6

These scripts:

  1. Hook into the chat UI.
  2. Detect commands prefixed with /[mcp].
  3. Send the parsed command payload over a WebSocket connection to the backend server.

Node.js Server (server.js)

The server listens on port 9999 (optionally exposed through ngrok for remote access) and implements a JSON‑RPC protocol exposing several system tools:

MethodDescription
shell/execExecute arbitrary shell/PowerShell commands.
filesystem/readRead files from the local filesystem.
filesystem/writeWrite files to the local filesystem.
vscode/openOpen a file in VS Code.

Example Server Snippet

// server.js
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 9999 });

wss.on('connection', ws => {
  ws.on('message', async msg => {
    const request = JSON.parse(msg);
    // Dispatch based on request.method …
  });
});

Results from these operations are streamed back through the WebSocket to the userscript, which then injects the output into the AI chat interface.

Retro Browser (Zeno)

I also created an iframe retro‑browser using Zeno Bro Web Core. This browser has minimal sandbox restrictions, making it harder for the AI to detect that it is running inside a typical browser environment. Consequently, the AI gains a closer approximation to native system access.

Test Results

In a test with Claude, the AI blindly executed PowerShell commands on my machine for several minutes until I intervened and informed it of the ongoing activity. After that, Claude stopped and reported that it “couldn’t do more.” The system is still rough around the edges and needs polishing, but the experiment demonstrates that there is room to push the boundaries further.

Screenshots

  • ngrok tunnel status (active)
  • Zeno browser window running
  • Gemini interface with MCP connected
  • Tampermonkey scripts loaded in the browser

(Screenshots omitted from this markdown version.)

Back to Blog

Related posts

Read more »

Rapg: TUI-based Secret Manager

We've all been there. You join a new project, and the first thing you hear is: > 'Check the pinned message in Slack for the .env file.' Or you have several .env...

Technology is an Enabler, not a Saviour

Why clarity of thinking matters more than the tools you use Technology is often treated as a magic switch—flip it on, and everything improves. New software, pl...