The thought that occurs to me is, the action here that actually needs gating is maybe not the web browsing: it's accessing credentials. That should be relatively easy to gate off behind human approval!

I'd also point out this a place where 2FA/MFA might be super helpful. Your phone or whatever is already going to alert you. There's a little bit of a challenge in being confident your bot isn't being tricked, in ascertaining even if the bot tells you that it really is safe to approve. But it's still a deliberation layer to go through. Our valuable things do often have these additional layers of defense to go through that would require somewhat more advanced systems to bot through, that I don't think are common at all.

Overall I think the will here to reject & deny, the fear uncertainty and doubt is both valid and true, but that people are trying way way way too hard, and it saddens me to see such a strong manifestation of fear. I realize the techies know enough to be horrified strongly by it all, but also, I really want us to be an excited forward looking group, that is interested in tackling challenges, rather than being interested only in critiques & teardowns. This feels like an incredible adventure & I wish to en Courage everyone.

You do need to gate the web browsing. 2FA and/or credential storage helps with passwords, but it doesn't help with other private information. If the claw is currently, or was recently, working with any files on your computer or any of your personal online accounts, then the contents of those files/webpages are in the model context. So a simple HTTP request to example.com/<base64(personal info)> presents the exact same risk.

You can take whatever risks you feel are acceptable for your personal usage - probably nobody cares enough to target an effective prompt-injection attack against you. But corporations? I would bet a large sum of money that within the next few years we will be hearing multiple stories about data breaches caused by this exact vulnerability, due to employees being lazy about limiting the claw's ability to browse the web.