BrowserGuard
Chrome extension for detecting browser-based AI agents and blocking their scripted actions. Manifest V3.
AI agents increasingly operate within the browser, reading page content, filling forms, navigating between sites, and communicating with external APIs. BrowserGuard identifies Playwright, Puppeteer, Selenium, Anthropic Computer Use, and OpenAI Operator without requiring the agent to identify itself, then provides controls to block the scripted actions each agent takes. It helps defend against data exfiltration through agent-driven downloads and form submissions, and unauthorized cross-domain navigation by autonomous agents. (DOM reads, injected scripts, and network requests are logged but not blocked in this version.)
Installation
Install directly from the Chrome Web Store:
Or build from source for development:
git clone https://github.com/opena2a-org/AI-BrowserGuard cd AI-BrowserGuard npm install && npm run build # In Chrome: # 1. Navigate to chrome://extensions # 2. Enable "Developer mode" # 3. Click "Load unpacked" # 4. Select the dist/ directory
What it protects against
- Agent takeover without notice: browser-based AI agents can control a session via CDP, WebDriver, or behavioral automation. BrowserGuard detects their presence using three independent detection layers: CDP debugger monitoring, V8 stack trace analysis, and environment fingerprinting.
- Unauthorized actions: delegation rules define what an agent can and cannot do. Actions outside the boundary are blocked before execution, with a notification for each violation.
- Unmonitored sessions: every agent action is logged to a session timeline with timestamps, target URLs, elements, and outcomes (allowed or blocked). The last 5 sessions are retained.
- No kill switch: one-click termination of all agent connections. Revokes permissions, clears automation flags, and terminates CDP sessions. Keyboard shortcut: Ctrl+Shift+K / Cmd+Shift+K.
How it works
BrowserGuard injects a lightweight content script into each tab. The content script monitors DOM mutations, network requests, and user interaction patterns without interfering with normal browsing. When AI agent activity is detected, the extension surfaces it in the popup UI and logs it to the session timeline. A background service worker coordinates detection across tabs and manages the delegation policy engine.
Detected frameworks
Detection combines three independent layers: CDP debugger monitoring, V8 stack trace analysis, and environment fingerprinting. Each method below has been verified against the real framework. The agent does not have to identify itself.
| Framework | Detection method |
|---|---|
| Playwright | CDP debugger attachment, UtilityScript.evaluate in V8 stack traces |
| Puppeteer | CDP debugger, pptr:evaluate stack traces, navigator.webdriver, dimension inversion |
| Selenium | CDP debugger, callFunction / executeScript stack traces, dimension equality |
| Anthropic Computer Use | Software WebGL renderer (llvmpipe / Mesa), Xvfb screen resolution, Linux fingerprint |
| OpenAI Operator | Same as Playwright (Operator uses Playwright internally) plus cloud environment signals |
| Generic CDP / WebDriver | chrome.debugger.getTargets(), navigator.webdriver flag |
Features
- Session timeline: visual history of all detected agent activity
- Delegation engine: define which agents can access which tabs/domains
- Kill switch: immediately terminate all agent activity
- Boundary monitoring: alerts when agents cross domain boundaries
- Alert system: configurable notifications for detected agent activity
- Popup UI: quick status overview and controls
Delegation presets
Delegation rules define which agents can access which tabs and domains, and what each agent is permitted to do once detected. Three presets cover the common cases:
| Preset | What the agent can do |
|---|---|
| Read-Only | Navigate and read pages. No clicking, typing, or form submission. |
| Limited | Interact with specific sites (user-defined allowlist), time-bounded (15min / 1hr / 4hr). |
| Full Access | Unrestricted, but all actions are logged and boundary alerts remain active. |
Site allowlists and blocklists support glob patterns (for example, *.bank.com).
Configuration
Click the BrowserGuard icon in the Chrome toolbar to access the popup UI. From there:
- Toggle detection on or off per tab or globally
- Configure domain allowlists and blocklists for the delegation engine
- Apply a delegation preset (Read-Only, Limited, Full Access)
- Export the session timeline as JSON for external analysis
- Trigger the kill switch to terminate all agent connections
Privacy and opt-in
All detection, delegation, and session tracking runs locally in the browser. No analytics, no tracking.
Optional opt-in: anonymized detection patterns can be shared with the OpenA2A trust registry to improve community threat intelligence. This is disabled by default and prompted after 5 detections. Full policy: opena2a.org/aibrowserguard/privacy.