"lightweight sandboxing" isn't far enough for agents, you really need _full sandboxing_.
For example, can you instruct it to open file:// from the local os, or download some colossal 100TB file?
prompt injection isn't going away anytime soon, so we have to treat the agent like arbitrary code. Wrapping in something like Firecracker, and giving the agent extremely scoped access is crucial.
One achillies heel of browser use agents is that you often can't filter permissions like you can with API keys, which is shown in this demo by having the agent make an api key.
For example, can you instruct it to open file:// from the local os, or download some colossal 100TB file?
prompt injection isn't going away anytime soon, so we have to treat the agent like arbitrary code. Wrapping in something like Firecracker, and giving the agent extremely scoped access is crucial.
One achillies heel of browser use agents is that you often can't filter permissions like you can with API keys, which is shown in this demo by having the agent make an api key.