ceLLMate: Sandboxing Browser AI Agents
This addresses security risks for users and developers of AI agents automating web tasks, though it is an incremental improvement focused on a specific domain.
The paper tackles the vulnerability of browser-using AI agents to prompt injection attacks by proposing ceLLMate, a browser-level sandboxing framework that restricts agent authority and reduces attack impact, achieving 7.25–15% latency overhead in blocking attacks on the WASP benchmark.
Browser-using agents (BUAs) are an emerging class of AI agents that interact with web browsers in human-like ways, including clicking, scrolling, filling forms, and navigating across pages. While these agents help automate repetitive online tasks, they are vulnerable to prompt injection attacks that trick an agent into performing undesired actions, such as leaking private information or issuing unintended state-changing requests. We propose ceLLMate, a browser-level sandboxing framework that restricts the agent's ambient authority and reduces the blast radius of prompt injections. We address the semantic gap challenge that is fundamental to BUAs -- writing and enforcing security policies for low-level UI tools like clicks and keystrokes is brittle and error-prone. Our core insight is to perform sandboxing at the HTTP layer because all side-effecting UI operations will result in network communication to the website's backend. We implement ceLLMate as an agent-agnostic browser extension and demonstrate how it enables sandboxing policies that block prompt injection attacks in the WASP benchmark with 7.25--15% latency overhead.