Bypassing AI Web Sandbox with WebSockets & Retro Browsers
Source: Dev.to
Setup Overview
I built a setup using Tampermonkey userscripts (MCP_v6_FULL_UNBLOCK.js and Gemini MCP v0.6) that inject JavaScript into the web interfaces for Claude, Gemini, and ChatGPT. The scripts intercept special commands (e.g., /[mcp] dir C:\ or /[mcp] Get-Process) and forward them via WebSocket to a local Node.js server.
Tampermonkey Userscripts
- MCP_v6_FULL_UNBLOCK.js
- Gemini MCP v0.6
These scripts:
- Hook into the chat UI.
- Detect commands prefixed with
/[mcp]. - Send the parsed command payload over a WebSocket connection to the backend server.
Node.js Server (server.js)
The server listens on port 9999 (optionally exposed through ngrok for remote access) and implements a JSON‑RPC protocol exposing several system tools:
| Method | Description |
|---|---|
shell/exec | Execute arbitrary shell/PowerShell commands. |
filesystem/read | Read files from the local filesystem. |
filesystem/write | Write files to the local filesystem. |
vscode/open | Open a file in VS Code. |
Example Server Snippet
// server.js
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 9999 });
wss.on('connection', ws => {
ws.on('message', async msg => {
const request = JSON.parse(msg);
// Dispatch based on request.method …
});
});Results from these operations are streamed back through the WebSocket to the userscript, which then injects the output into the AI chat interface.
Retro Browser (Zeno)
I also created an iframe retro‑browser using Zeno Bro Web Core. This browser has minimal sandbox restrictions, making it harder for the AI to detect that it is running inside a typical browser environment. Consequently, the AI gains a closer approximation to native system access.
Test Results
In a test with Claude, the AI blindly executed PowerShell commands on my machine for several minutes until I intervened and informed it of the ongoing activity. After that, Claude stopped and reported that it “couldn’t do more.” The system is still rough around the edges and needs polishing, but the experiment demonstrates that there is room to push the boundaries further.
Screenshots
- ngrok tunnel status (active)
- Zeno browser window running
- Gemini interface with MCP connected
- Tampermonkey scripts loaded in the browser
(Screenshots omitted from this markdown version.)