Sandboxing Browser AI Agents (www.earlence.com)

Cellmate introduces a novel sandboxing framework designed to secure Browser-Use Agents (BUAs)—autonomous AI tools that interact with webpages like humans by clicking, scrolling, or navigating—against prompt injection attacks. These attacks exploit BUAs’ reliance on large language models (LLMs) by embedding malicious text that coerces the agent to perform harmful actions, such as leaking private data or altering authenticated user accounts. Given BUAs’ extensive access to web sessions, these vulnerabilities pose serious threats to user privacy and web security, creating a pressing need for robust injection-resistant architectures. The core innovation in Cellmate lies in enforcing security policies at the HTTP request level rather than at the fragile and error-prone browser UI event level. By interpreting each browser action as an HTTP request, Cellmate reliably mediates all agent activities regardless of UI complexity or evolution. To bridge the semantic gap between raw HTTP requests and meaningful user actions, Cellmate employs “agent sitemaps,” structured mappings developed and maintained by web developers that translate low-level requests into high-level, interpretable commands. This enables precise, domain-specific policy enforcement that restricts agent privileges dynamically based on user-defined goals and developer-provided rule sets. Cellmate’s approach not only offers comprehensive, stable mediation of BUAs’ behaviors but also fosters collaboration between developers, users, and security frameworks to minimize privilege and prevent misuse. Demonstrated through a GitLab case study, this framework significantly reduces the risk of BUA hijacking, marking a critical step forward in safeguarding AI-driven browser automation tools from escalating injection threats.