"lightweight sandboxing" isn't far enough for agents, you really need _full sandboxing_.
For example, can you instruct it to open file:// from the local os, or download some colossal 100TB file?
prompt injection isn't going away anytime soon, so we have to treat the agent like arbitrary code. Wrapping in something like Firecracker, and giving the agent extremely scoped access is crucial.
One achillies heel of browser use agents is that you often can't filter permissions like you can with API keys, which is shown in this demo by having the agent make an api key.
I hope that we get more solutions in this direction! I want to use ai browser agents and other things that involve connecting ai up to my accounts, but I've avoided so far and will continue to avoid until I'm confident on the security.
"lightweight sandboxing" isn't far enough for agents, you really need _full sandboxing_.
For example, can you instruct it to open file:// from the local os, or download some colossal 100TB file?
prompt injection isn't going away anytime soon, so we have to treat the agent like arbitrary code. Wrapping in something like Firecracker, and giving the agent extremely scoped access is crucial.
One achillies heel of browser use agents is that you often can't filter permissions like you can with API keys, which is shown in this demo by having the agent make an api key.
I hope that we get more solutions in this direction! I want to use ai browser agents and other things that involve connecting ai up to my accounts, but I've avoided so far and will continue to avoid until I'm confident on the security.
How about we disable all browser AI features? That's what I do with Brave: I go to brave://flags and disable everything that mentions "AI" or "Leo".
I don't want a trojan horse in my own browser.
Just curious, but I'm curious what these platforms are chasing? I assume a quick acquisition by an org like Salesforce building huge agentic tooling?
Surely this time it will work