ceLLMate: Sandboxing Browser AI Agents

TL;DR

ceLLMate is a browser extension framework that sandbox BUAs at the HTTP layer, effectively reducing prompt injection risks while maintaining acceptable performance overhead.

Contribution

It introduces a novel HTTP-layer sandboxing approach for browser AI agents, addressing security vulnerabilities in web interactions.

Findings

Successfully blocks prompt injection attacks in WASP benchmark

Achieves 7.25-15% latency overhead

Provides a general, agent-agnostic sandboxing solution

Abstract

Browser-using agents (BUAs) are an emerging class of AI agents that interact with web browsers in human-like ways, including clicking, scrolling, filling forms, and navigating across pages. While these agents help automate repetitive online tasks, they are vulnerable to prompt injection attacks that trick an agent into performing undesired actions, such as leaking private information or issuing unintended state-changing requests. We propose ceLLMate, a browser-level sandboxing framework that restricts the agent's ambient authority and reduces the blast radius of prompt injections. We address the semantic gap challenge that is fundamental to BUAs -- writing and enforcing security policies for low-level UI tools like clicks and keystrokes is brittle and error-prone. Our core insight is to perform sandboxing at the HTTP layer because all side-effecting UI operations will result in network communication to the website's backend. We implement ceLLMate as an agent-agnostic browser extension and demonstrate how it enables sandboxing policies that block prompt injection attacks in the WASP benchmark with 7.25--15% latency overhead.