Building safe browser agents

Safety is not a feature we bolt on at the end. It is a core design constraint that shapes every decision in how the agent works.

The first principle is approval gates. The agent never auto-confirms purchases, sends messages, deletes data, or downloads files. Every sensitive action pauses execution and asks for your explicit approval.

The second principle is prompt-injection resistance. Web pages are untrusted content. A page might contain text that tries to redirect the agent — instructions hidden in HTML, misleading button labels, or cross-site redirects. Our agent treats all page content as data, never as instruction.

The third principle is credential isolation. Your passwords and login credentials live in your OS keychain. They are never transmitted to our cloud in plaintext. When the agent logs into a site, our cloud sees only that a login was completed, not the credential values.

These are not aspirational goals. They are active constraints in the current product.