Remix.run Logo
mullingitover 2 days ago

On the one hand: an agentic browser sounds like a cool idea. Being able to automate things with an agent on the client side is crazy powerful.

On the other hand: this has the potential to be an absolute security Chernobyl. A browser is likely to be logged into all your sensitive accounts. An agent in your browser is probably going to be exposed to untrusted inputs from the internet by its very nature.

You have the potential for prompt injection to turn your life upside down in a matter of seconds. I like the concept but I wouldn't touch this thing with a ten foot pole unless everyone in the supply chain was PCI/SOC2/ISO 27001 certified, the whole supply chain has been vetted, and I have blood oaths about its security from third party analysts.

felarof 2 days ago | parent [-]

Thanks for raising this - it's a critical concern and you're absolutely right to be cautious.

This is exactly why we're going local-first and open source. With cloud agents (like Manus.im), you're trusting a black box with your credentials. With local agents, you maintain control:

- Agents only run when you explicitly trigger them

- You see exactly what they're doing in real-time and can stop them

- You can run tasks in separate chrome user profile

- Most importantly: the code is open source, so you can audit exactly what's happening.

econ 2 days ago | parent | next [-]

Have an agent monitor what is going on and raise dialogs explaining why something is not okay, question the need for something, have email or sms confirmation, extra passwords or bluntly refuse to do the destructive task right now (ask me again in 36 hours) Then, when you have the blood oath and the certifications, it can continue to monitor as an extra layer.

adamoshadjivas 2 days ago | parent | prev [-]

this sounds LLM generated

regardless, you did not answer OPs point, which is that any potentially malicious site can prompt inject you at any point, and trigger an MCP or any other action or whatever before you see them and stop them. The whole point of an AI browser is like self-driving car, being able to de-focus and let it do its thing. If i have to be nervous to watch if im getting hacked at any given second, then it's probably not a great product

felarof 2 days ago | parent [-]

I see, definitely agree that more work is needed in figuring out the right UX here. Probably open a shadow browser with OAuth sessions of only a small subset of sites required for the task?

lolinder a day ago | parent [-]

That would help, but who defines which sites are required for the task? If it's the LLM you haven't solved prompt injection because the LLM can be persuaded to open other sites that the user didn't intend.