Ghostvault

Ghostvault

Enables AI agents to manage multiple Google accounts with persistent sessions and anti-detect browser fingerprints, supporting sign-in, account switching, Gmail access, and interaction with any Google SSO website.

Category
Visit Server

README

<div align="center">

πŸ‘» Ghostvault

Open-source MCP server for managing multiple Google accounts through your AI agent β€” powered by Camoufox.

CI License: MIT Python 3.11+ MCP

Let Claude Desktop, Cursor, Cline, or any MCP-compatible agent sign in to Google accounts, switch between them, read Gmail, and drive any website that uses Sign in with Google β€” with persistent sessions and locked anti-detect fingerprints.

Quick start Β· How it works Β· Tools Β· FAQ Β· Contributing

</div>


Why Ghostvault

Managing several Google accounts from automation is painful:

  • πŸ”’ Google's bot detection flags headless browsers and datacenter IPs
  • πŸ” Account hopping requires re-authentication every time
  • 🌐 Third-party sites that use "Sign in with Google" don't expose API access

Ghostvault solves this by giving your AI agent a real, anti-detect browser per account β€” with sessions that persist between restarts and fingerprints that don't drift.

Features

  • 🎭 Locked fingerprints β€” each account always looks like the same device to Google (Camoufox C-level spoofing + persisted noise seeds)
  • πŸ” Persistent sessions β€” sign in once per account, then reuse forever (cookies + localStorage survive restarts)
  • πŸ”„ Multi-account β€” create, sign in, and switch between unlimited Google accounts from one agent
  • 🌍 Any Google-SSO site β€” once signed in, the agent can drive Notion, Canva, ChatGPT, or any site that uses Google login
  • πŸ”Œ Multi-provider ready β€” gv_create_account({provider: "google"}) defaults to Google; the architecture supports GitHub, Facebook, or any OAuth provider in the future
  • πŸ‘οΈ Vision support β€” tools return PNG screenshots so the LLM can see the page when text isn't enough
  • πŸ“‹ Self-debugging β€” structured JSONL logs of every action; the agent can read them via gv_get_logs
  • 🏠 Local-first β€” sessions, cookies, and fingerprints live on your machine under ~/.ghostvault; nothing is ever sent anywhere
  • πŸ”’ Optional encryption at rest β€” AES-256-GCM encrypted profile archives with the key in your OS keychain (off by default)
  • ⏱️ Auto-close & auto-lock β€” optionally close + re-encrypt after each task or after N idle minutes (off by default)
  • πŸ”‘ Private/public profiles β€” optional password gate separating sensitive profiles (hidden until unlocked) from public ones; 5 wrong passwords wipes private profiles
  • πŸ€– LLM-agnostic β€” works with Claude, GPT, Gemini, or any model your MCP client supports
  • πŸͺΆ Zero-dependency agent loop β€” you bring the LLM client, Ghostvault provides the browser tools

How it works

Your AI agent (Claude Desktop / Cursor / Cline)
        β”‚  MCP protocol (stdio or HTTP)
        β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ Ghostvault MCP Server                           β”‚
β”‚                                                 β”‚
β”‚  24 tools:                                      β”‚
β”‚   gv_sign_in, gv_open_account,          β”‚
β”‚   gv_switch_account, gv_lock_account,   β”‚
β”‚   gv_sign_out, gv_delete_account,       β”‚
β”‚   gv_open_url, gv_read_gmail,           β”‚
β”‚   gv_get_page_content (+ screenshot),       β”‚
β”‚   gv_click_element, gv_fill_input,      β”‚
β”‚   gv_setup_password, gv_unlock,         β”‚
β”‚   gv_make_private, gv_get_logs, ...     β”‚
β”‚                                                 β”‚
β”‚  Per-account persistent Camoufox profiles:      β”‚
β”‚   profile_A/  ── + locked fingerprint A         β”‚
β”‚   profile_B/  ── + locked fingerprint B         β”‚
β”‚   profile_C/  ── + locked fingerprint C         β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
        β”‚  traffic exits via your home IP (local-first)
        β–Ό
   google.com  +  any Google-SSO site

The agent decides what to do; Ghostvault provides the hands. Because the agent loop lives client-side, you can use whichever LLM you like.

Why fingerprints are locked (critical)

Camoufox generates a fresh random fingerprint on every launch β€” it does not persist one to the profile directory. Without locking, each launch would look like a brand-new device and Google would flag the account.

Ghostvault generates one fingerprint per account at creation, serializes it (BrowserForge fingerprint + the canvas/audio/fonts noise seeds + OS) to a sidecar JSON, and passes it back on every launch. Result: an account always presents the same identity.


Quick start (one command)

No Python experience needed. Run the one-line installer for your platform. It installs everything and configures Claude Desktop / Cursor for you.

macOS / Linux (in a terminal):

curl -fsSL https://raw.githubusercontent.com/mienetic/Ghostvault/main/install.sh | bash

Windows (in PowerShell):

irm https://raw.githubusercontent.com/mienetic/Ghostvault/main/install.ps1 | iex

The installer automatically:

  1. πŸ“₯ Clones Ghostvault into ~/.ghostvault-app (or %USERPROFILE%\.ghostvault-app on Windows)
  2. 🐍 Creates an isolated Python virtualenv (doesn't touch your system Python)
  3. πŸ“¦ Installs Ghostvault + all dependencies
  4. 🦊 Downloads the Camoufox browser binary (~120 MB, one-time)
  5. βš™οΈ Writes the MCP config for Claude Desktop and/or Cursor if they're installed

Then restart Claude Desktop / Cursor β€” Ghostvault's tools appear. That's it. πŸŽ‰

Requirements: Python 3.11+ (download) and git. On macOS, run xcode-select --install first if git isn't installed. On Windows, check "Add Python to PATH" during the Python installer.

Update

# macOS / Linux
~/.ghostvault-app/update.sh

# Windows (PowerShell)
powershell -File "$env:USERPROFILE\.ghostvault-app\update.ps1"

Ghostvault also checks automatically on startup and prints a notice if a new version is available β€” so you'll never be silently out of date.

Uninstall

# macOS / Linux
bash ~/.ghostvault-app/uninstall.sh

On Windows, just delete the install dir and the data dir manually:

Remove-Item -Recurse -Force "$env:USERPROFILE\.ghostvault-app"
Remove-Item -Recurse -Force "$env:USERPROFILE\.ghostvault"   # sessions (optional)

Then remove the ghostvault entry from your Claude Desktop / Cursor config by hand.

Removes the install dir + the Ghostvault entry from your client configs. (On macOS/Linux the script asks before deleting session data, since ~/.ghostvault contains your Google sessions.)


Connect your agent

πŸ’‘ If you ran the one-line installer above, it already wrote the config for Claude Desktop and Cursor. Just restart those apps and you're done β€” skip to Usage. The steps below are only needed if you installed manually, or want to connect a different agent.

Ghostvault is an MCP server, so any MCP-compatible client can connect. Ready-to-copy config files for each client live in examples/ β€” see examples/README.md for the full cheat-sheet of where each file goes and the JSON shape each client expects.

⚠️ Use an absolute path to your Python. Clients run the server as a subprocess and don't inherit your shell PATH, so a bare python won't be found. After installing, find the right interpreter:

  • One-line installer: ~/.ghostvault-app/.venv/bin/python
  • Manual install: run which python in the venv where you installed Ghostvault, or use /usr/bin/python3, /opt/homebrew/bin/python3, etc.

Supported clients

Client Example file Config location
Claude Desktop claude_desktop_config.json ~/Library/Application Support/Claude/ (macOS), %APPDATA%\Claude\ (Windows), ~/.config/Claude/ (Linux)
Cursor cursor_config.json ~/.cursor/mcp.json (global) or .cursor/mcp.json (per-project)
Cline (VS Code) cline_mcp_settings.json ~/.cline/data/settings/cline_mcp_settings.json (note extra disabled/autoApprove fields)
VS Code (Agent mode) vscode_mcp.json .vscode/mcp.json (note shape is {"servers": {...}} with type: "stdio")
ZCode zcode_config.json <repo>/.zcode/config.json (workspace) or ~/.zcode/cli/config.json (note nested mcp.servers)
Continue.dev continue_dev_config.json ~/.continue/config.json under mcpServers
Claude Code (CLI) (CLI β€” see below) claude mcp add ...

Claude Code (CLI)

Claude Code is configured via the claude CLI rather than a JSON file:

claude mcp add --transport stdio -s user \
  -e GHOSTVAULT_HEADLESS=false \
  ghostvault -- /absolute/path/to/python -m ghostvault

Verify: claude mcp list. Scopes: -s user (all projects), -s project (shared via .mcp.json), -s local (default).

Other clients

Any MCP-compatible client works. The universal recipe:

  1. Point command at an absolute Python path that has Ghostvault installed
  2. Set args to ["-m", "ghostvault"]
  3. Optionally set env for any GHOSTVAULT_* variables (see Configuration)

The clients disagree on JSON shape β€” see the shape cheat-sheet in examples/README.md.

Remote / HTTP transport (advanced)

To serve Ghostvault over HTTP instead of stdio (e.g. for a remote client):

GHOSTVAULT_TRANSPORT=http GHOSTVAULT_PORT=8765 python -m ghostvault

Then point your client at http://127.0.0.1:8765/mcp (use the machine's IP for remote access β€” ensure you secure it).


Verify the connection

After connecting any agent, test it with a simple prompt:

"List my Ghostvault accounts."

The agent should call gv_list_accounts and return an empty list on a fresh install. If you get an error instead, check:

  • The Python path in the config is absolute and correct (ls /that/path)
  • Ghostvault is importable from that Python: /that/path/python -c "import ghostvault"
  • The Camoufox browser binary is downloaded: /that/path/python -m camoufox path
  • For stdio clients: check the client's MCP/logs panel β€” startup errors appear there

Just talk to your agent naturally. Example prompts:

  • "Sign in to my Work Google account, then read my latest 5 emails and tell me if any need an urgent reply."
  • "Switch to my Personal account and open Drive β€” list my recent files."
  • "Open Notion using my Work Google login and create a new page called 'Weekly review'."
  • "Take a screenshot of the current page so I can see what's happening."

The agent calls the right tools. On the first sign-in of a new account, a browser window opens for you to complete login (Google will likely ask for 2FA β€” this is normal).

Typical first-time flow

1. You:   "Create a Google account called Work"
   Agent: calls gv_create_account β†’ "Done. Now sign in."

2. You:   "Sign in to Work"
   Agent: calls gv_sign_in β†’ a browser window opens
   You:   complete Google login + 2FA in that window
   Agent: "Signed in as you@gmail.com."

3. You:   "Read my latest emails"
   Agent: calls gv_read_gmail β†’ returns inbox summary

4. You:   "Now switch to Personal and open Drive"
   Agent: calls gv_switch_account + gv_open_url

Tool reference

Accounts & lifecycle (16 tools)

Tool Description
gv_list_accounts List accounts + which is active + statuses (private hidden when locked)
gv_create_account Create a slot with a locked fingerprint (name, os?, proxy?)
gv_sign_in Open a login window for the user (handles 2FA)
gv_open_account Open the browser reusing a saved session (no login window)
gv_switch_account Change the active account
gv_get_session_status Check if a session is running/authenticated
gv_close_account Close a browser context (session saved)
gv_lock_account Close + re-encrypt (session kept)
gv_sign_out Sign out of Google (session invalidated; re-login required)
gv_delete_account Delete account + profile + session + DB row permanently
gv_setup_password Set a password to enable the private/public gate (browser window)
gv_unlock Unlock the gate to access private profiles (password or browser window)
gv_logout Lock the gate + close private contexts + switch to public
gv_get_auth_status Check whether the gate is active and unlocked
gv_make_private Mark a profile as private (hidden when locked)
gv_make_public Mark a profile as public (always accessible)

Browser (7 tools)

Tool Description
gv_open_url Open any URL in the active account (incl. Google-SSO sites)
gv_get_page_content Read page text (+ optional screenshot via include_screenshot)
gv_screenshot Capture a PNG (vision) β€” full_page option
gv_get_page_links List visible links
gv_click_element Click by visible text or CSS selector
gv_fill_input Fill a form field by label or selector
gv_read_gmail Read the Gmail inbox (convenience tool)

Debug (1 tool)

Tool Description
gv_get_logs Read recent JSONL action log entries

Full tool docstrings (what the agent sees) are in SKILL.md.


Configuration

All settings are env vars (prefix GHOSTVAULT_), loadable from a .env file. See .env.example for the full list. Highlights:

Var Default Purpose
GHOSTVAULT_DATA_DIR ~/.ghostvault Profiles, DB, logs
GHOSTVAULT_HEADLESS false Open a visible window (recommended for login + 2FA)
GHOSTVAULT_DEFAULT_OS auto Default fingerprint OS (auto = host OS, or windows/macos/linux)
GHOSTVAULT_LOGIN_TIMEOUT 300 Seconds to complete login + 2FA
GHOSTVAULT_TRANSPORT stdio stdio | http | sse
GHOSTVAULT_PROXY_* (empty) Optional global proxy (local-first otherwise)
GHOSTVAULT_LOG_LEVEL INFO Console log level
GHOSTVAULT_ENCRYPTION_ENABLED false Encrypt profile dirs at rest (see Encryption)
GHOSTVAULT_AUTO_CLOSE_AFTER_TASK false Close browser + re-encrypt after each tool call (minimizes exposure window)
GHOSTVAULT_AUTO_LOCK_MINUTES 0 Auto-close idle contexts after N minutes (0 = disabled)
GHOSTVAULT_WINDOW_WIDTH 1280 Browser window width in pixels (0 = let browser decide)
GHOSTVAULT_WINDOW_HEIGHT 800 Browser window height in pixels (0 = let browser decide)

Encryption at rest (optional)

By default, each account's persistent profile (which holds real Google session cookies) lives on disk as plaintext Firefox profile files. Anyone with read access to ~/.ghostvault/profiles/ can steal your sessions.

Enable encryption to store profiles as AES-256-GCM archives instead:

export GHOSTVAULT_ENCRYPTION_ENABLED=true

Or set it in your client's env block:

"env": { "GHOSTVAULT_ENCRYPTION_ENABLED": "true" }

How it works:

  • The master key is stored in your OS keychain (macOS Keychain, Windows Credential Manager, Linux Secret Service) β€” never on disk. It's auto-generated on first use.
  • When the browser opens, the profile is decrypted to a temp dir (wiped on close).
  • When the browser closes, the profile is re-encrypted to <account_id>.profile.enc.
  • Existing plaintext profiles are auto-migrated on first open after enabling.

Requirements & caveats:

  • Keychain backend required. On headless Linux without D-Bus / Secret Service (e.g. a bare Docker container), encryption can't store the key securely and stays disabled. Run gnome-keyring or kwallet first.
  • Losing the keychain entry = losing the profiles. The key is not derivable from anything else. There is no recovery path by design β€” that's what makes it secure.
  • The browser still sees plaintext while running. Encryption protects data at rest, not against an attacker who compromises the running session.
  • Fingerprint files stay plaintext. They describe the spoofed identity (UA, screen, etc.) but don't contain session secrets, so encrypting them isn't worth the complexity.

Private/public profiles (optional)

Ghostvault can separate profiles into public (accessible without unlocking) and private (hidden behind a password). This is an app-level visibility gate on top of encryption-at-rest.

How it works:

  1. Call gv_setup_password β€” a browser window opens for you to set a password
  2. Mark sensitive profiles as private: gv_make_private({account_id})
  3. When locked, gv_list_accounts hides private profiles; browser tools refuse to open them
  4. Call gv_unlock({password}) to access private profiles (stays unlocked until gv_logout or server restart)

Brute-force protection:

  • 3 wrong passwords β†’ warning with remaining attempts
  • 5 wrong passwords β†’ all private profiles permanently deleted + password reset
  • Public profiles are never affected by failed attempts

This is different from encryption-at-rest: encryption protects the disk (someone steals the laptop); the private/public gate protects access (someone sits at your unlocked machine and tries to use private Google accounts via the agent).

Remote (HTTP transport)

For remote access instead of the default stdio transport:

GHOSTVAULT_TRANSPORT=http GHOSTVAULT_PORT=8765 python -m ghostvault

Point your client at http://127.0.0.1:8765/mcp.


Manual install (alternative)

<details> <summary>Click to expand β€” for users who prefer a manual setup or want to develop Ghostvault</summary>

Ghostvault is not yet on PyPI β€” install it from the GitHub source. Requires Python 3.11+.

git clone https://github.com/mienetic/Ghostvault.git
cd Ghostvault
pip install -e .

# Download the Camoufox browser binary (~120 MB, one-time)
python -m camoufox fetch

For development (includes test + lint tooling):

pip install -e ".[dev]"

Then add Ghostvault to your client config manually. Use the Python from your environment as the command β€” for example, the venv python if you installed into one.

Claude Desktop β€” edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or ~/.config/Claude/claude_desktop_config.json (Linux):

{
  "mcpServers": {
    "ghostvault": {
      "command": "/absolute/path/to/your/python",
      "args": ["-m", "ghostvault"],
      "env": {
        "GHOSTVAULT_HEADLESS": "false"
      }
    }
  }
}

Cursor β€” edit .cursor/mcp.json:

{
  "mcpServers": {
    "ghostvault": {
      "command": "/absolute/path/to/your/python",
      "args": ["-m", "ghostvault"]
    }
  }
}

Restart your client after editing.

</details>


Programmatic use (SDK)

For scripts that want to call Ghostvault without an LLM in the loop (run inside the cloned repo, after pip install -e . above):

pip install -e ".[sdk]"
import asyncio
from ghostvault_sdk import GhostvaultClient

async def main():
    async with GhostvaultClient() as gv:
        await gv.create_account(name="Work", os="macos")
        accounts = await gv.list_accounts()
        print(accounts)

asyncio.run(main())

See the examples/ directory for comprehensive examples:

Example What it demonstrates
scripts/sdk_all_tools.py Every gv_* tool called via SDK (24 tools)
scripts/sdk_private_public.py Private/public gate flow via SDK (setup, lock, unlock, logout)
scripts/test_login_session.py End-to-end: login Google + verify session persists across restart
scripts/mcp_e2e_test.py MCP protocol test: create + sign in + read Gmail
scripts/mcp_security_test.py Encryption + auto-close + auto-lock + sign_out + delete
agent_prompts.md Copy-paste prompts for Claude Desktop / Cursor / ZCode (all 24 tools)

FAQ

<details> <summary><b>Will Google ban my accounts?</b></summary>

Ghostvault uses Camoufox, a Firefox fork with C-level fingerprint spoofing β€” the same technology used by professional anti-detect tools. With locked fingerprints and your home IP, each account looks like a genuine, consistent device. That said:

  • First-time login always triggers 2FA β€” Google sees a new device. This is expected and one-time per account.
  • Don't share IPs across many accounts β€” Google clusters accounts by IP. One account per proxy/IP is the safe ratio.
  • Don't automate at inhuman speed β€” the agent should pace actions like a real user.

Ghostvault gives you the tools to be safe; how you use them is your responsibility. </details>

<details> <summary><b>Can I run this on a server instead of my laptop?</b></summary>

Yes, but with caveats:

  • You'll need a residential/mobile proxy per account (datacenter IPs get flagged immediately).
  • Login requires a visible window β€” on a headless server, use headless='virtual' (Xvfb) or forward via VNC/noVNC so you can complete 2FA.
  • The session won't survive a fingerprint+IP change, so configure the proxy before the first login.

For most users, running locally is simpler and safer. The remote HTTP transport (GHOSTVAULT_TRANSPORT=http) is there if you need it. </details>

<details> <summary><b>Does this work with non-Google sites?</b></summary>

Yes β€” that's a major use case. Once an account is signed in, call gv_open_url with any URL. Sites that use "Sign in with Google" will auto-SSO using the account's session. The agent can then navigate them like any other page. </details>

<details> <summary><b>How is this different from browser-use / Stagehand / AgentQL?</b></summary>

Those are agent frameworks (they provide the LLM↔browser reasoning loop). Ghostvault is a tool provider β€” it exposes browser tools via MCP that any agent framework (or plain Claude Desktop) can call. You can even combine them: use Ghostvault for the stealth Google sessions and let your favorite agent framework drive the pages.

Ghostvault uses Camoufox (Firefox/Juggler), while browser-use 0.13+ requires CDP (Chromium-only) β€” so they don't directly interoperate, but they solve different problems. </details>

<details> <summary><b>Where is my data stored? Is it sent anywhere?</b></summary>

Everything stays local under ~/.ghostvault/:

  • profiles/ β€” per-account Camoufox profiles (cookies, localStorage, fingerprint lock)
  • logs/ghostvault.jsonl β€” structured debug log
  • browserver.sqlite β€” account metadata only (no sessions)

Nothing is ever sent to a remote server except the browser traffic itself (which exits via your home IP, or your configured proxy). Ghostvault has no telemetry, no analytics, no phone-home. </details>

<details> <summary><b>The agent says "No active account" β€” what do I do?</b></summary>

You need to sign in first. Tell the agent: "Sign in to [account name]". A browser window opens; complete Google login there. After that, the account is active and the browser tools work. See Typical first-time flow. </details>


Troubleshooting

Symptom Fix
Login window doesn't appear Set GHOSTVAULT_HEADLESS=false in .env or your client config env block
gv_read_gmail returns empty Gmail's DOM changes often β€” fall back to gv_open_url to mail.google.com + gv_get_page_content with include_screenshot=true
"Session not authenticated" The session expired β€” re-run gv_sign_in for that account
Agent action had no effect Call gv_get_logs and/or gv_screenshot to see what the browser shows
Install fails on camoufox fetch Network issue β€” retry with python -m camoufox fetch, or skip and run it later
Two windows for same account Not possible β€” Ghostvault enforces one context per account. Switch accounts instead.

Important notes

  • First-time login = new device. Google sees a new fingerprint/IP, so expect a 2FA challenge. This is one-time per account.
  • Local-first by default. Traffic exits via your home IP. If you move Ghostvault to a server, add a residential proxy and re-login.
  • One context per account. Ghostvault refuses to open two windows for the same profile (would corrupt it). Switch accounts instead.
  • Gmail scraping is best-effort. Gmail's DOM changes often; if gv_read_gmail returns empty, fall back to gv_open_url + gv_get_page_content with a screenshot.
  • Sessions are sensitive. Anyone with read access to ~/.ghostvault/ has full access to your Google accounts. Protect that directory β€” or enable encryption at rest.
  • Camoufox β‰  Firefox. Ghostvault downloads its own patched Camoufox browser (~120 MB) during install. You don't need to install Firefox separately; the two don't conflict.

Roadmap

Legend: 🟒 done Β· πŸ”΅ in progress Β· βšͺ planned Β· 🏁 good first issue Β· πŸ’› help wanted Β· πŸ’° needs funding

v0.1 β€” MVP (current release)

  • 🟒 Core: per-account persistent Camoufox profiles + locked fingerprints
  • 🟒 24 MCP tools (accounts, lifecycle, browser, Gmail, debug, private/public gate)
  • 🟒 Vision support (gv_screenshot, include_screenshot)
  • 🟒 Structured JSONL debug logs + gv_get_logs
  • 🟒 One-click installer (install.sh) with auto-config for Claude Desktop / Cursor
  • 🟒 Auto-update check on startup
  • 🟒 CI: lint + test (3.11/3.12) + build

v0.2 β€” Solidify (in progress)

Make what exists reliable enough for daily use.

  • 🟒 Auto-detect host OS β€” GHOSTVAULT_DEFAULT_OS=auto resolves to the machine's OS
  • 🟒 Real browser integration tests in CI β€” runs against a real Camoufox browser in GitHub Actions, validating the persistent-context contract and the fingerprint-lock stability invariant across relaunches
  • 🟒 Windows installer (install.ps1) β€” PowerShell one-click installer
  • 🟒 Encryption at rest (optional) β€” AES-256-GCM + OS keychain
  • 🟒 Auto-close / auto-lock (optional) β€” close + re-encrypt after each task or after N idle minutes
  • 🟒 Lock / sign-out / delete tools β€” gv_lock_account, gv_sign_out, gv_delete_account
  • 🟒 Configurable window size β€” GHOSTVAULT_WINDOW_WIDTH / GHOSTVAULT_WINDOW_HEIGHT
  • 🟒 24 MCP tools (renamed google_* β†’ gv_* for multi-provider support)
  • 🟒 Private/public profiles (optional) β€” password gate + 5-attempt wipe
  • 🟒 SDK client (ghostvault_sdk) β€” programmatic access without an LLM
  • βšͺ Publish to PyPI β€” pip install ghostvault (currently source-only)
  • βšͺ Robust Gmail reader β€” graceful fallbacks when Gmail's DOM changes + structured output
  • βšͺ Session health check β€” auto-detect expired sessions and tell the agent to re-login
  • βšͺ gv_get_account_cookies / gv_export_session β€” backup/restore sessions
  • 🏁 Replace ad-hoc CSS selectors in pages.py with a tested selector strategy
  • 🏁 Add more languages to the README (TH, ES, ZH) β€” translations welcome

v0.3 β€” More Google services

Cover the main Google use cases.

  • βšͺ Google Drive β€” list, download, upload files 🏁
  • βšͺ Google Calendar β€” upcoming events, create events
  • βšͺ Google Photos β€” list, download 🏁
  • βšͺ Google Contacts β€” search, export
  • βšͺ Generic "fill + submit form" helper with better recovery
  • βšͺ gv_wait_for_element + gv_wait_for_navigation tools

v1.0 β€” Production-ready (multi-user / server)

Safe to run as a shared service.

  • πŸ”΅ Encrypt profiles at rest β€” AES-256-GCM + OS keychain (implemented, in testing)
  • 🟒 Private/public profiles + password gate β€” done in v0.2 (moved from v1.0)
  • βšͺ Per-account proxy lock enforcement in the API πŸ’›
  • βšͺ Docker image + docker-compose πŸ’›
  • βšͺ Audit log (who did what, when)
  • βšͺ Rate limiting + concurrent account limits
  • βšͺ Independent security review πŸ’°

v1.x+ β€” Ecosystem

Grow beyond Google.

  • βšͺ Plugin system for per-site action packs (Notion, GitHub, Stripe, ...)
  • βšͺ MCP marketplace listing
  • βšͺ Vision-based action suggestion (LLM looks at screenshot β†’ proposes next action)
  • βšͺ Cloud-hosted option (managed Ghostvault as a service) πŸ’°

Contributing to the roadmap

  • Pick anything marked 🏁 (good first issue) or πŸ’› (help wanted) β€” open a PR.
  • For πŸ’° items (security review, hosting), we'd need sponsorship; reach out via Discussions.
  • Have a use case we're missing? Open a discussion.

Contributing

Contributions welcome! See CONTRIBUTING.md for setup, conventions, and how to add a new tool.

pip install -e ".[dev]"
pytest -q
ruff check .

Adding a tool

  1. Add the input model to src/ghostvault/inputs.py
  2. Add the logic to src/ghostvault/tools.py (raise ToolError for expected failures)
  3. Register it in src/ghostvault/server.py with @mcp.tool(name=..., annotations=...) and a thorough docstring
  4. Add a test under tests/

The fingerprint lock is an invariant β€” any change that breaks it causes every account to look like a new device. tests/test_fingerprint.py guards it; keep it green.


Development

git clone https://github.com/mienetic/Ghostvault.git
cd Ghostvault
pip install -e ".[dev]"
python -m camoufox fetch   # one-time browser download
pytest -q                  # 17 unit tests
ruff check .               # lint

License

MIT Β© Ghostvault Contributors


<div align="center">

⚠️ Use responsibly. Ghostvault is a tool for managing your own accounts. Don't use it to access accounts you don't own, violate terms of service, or do anything illegal. You are responsible for how you use it.

</div>

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured