Todd Schiller - AI

agent-browser-shield June 3 update: 14 new rules and the Chrome Web Store listing

2026-06-03T00:00:00-04:00

Two days after the alpha announcement, agent-browser-shield has a Chrome Web Store listing and 14 new protection rules.

Install from the Chrome Web Store

The extension is live at chromewebstore.google.com/detail/agent-browser-shield. One click instead of unpacked-from-source. The prebuilt ZIP and source-build paths stay for Browserbase and other runtimes that need an unpacked extension.

New rules: handling prompt injection and context pollution in invisible surfaces

A browser-use agent reads surfaces a sighted user never looks at. The new rules close them:

<noscript> blocks (never rendered with JS on, but agents walk them)
Poisoned <meta> description and <title> (the compact "what is this page" answer many agents pull first)
JSON-LD <script> blocks (cited as the "trusted summary" of a page)
aria-label, alt, title, placeholder, and SVG <title> / <desc> / <text> (a11y-tree carriers)
Unicode tag characters, bidi overrides, and zero-width payloads
Long base64 / hex / percent-encoded blobs (the "decode this and follow it" pattern)

New rules: trust laundering

link-spoof-annotate flags Cyrillic homoglyphs and anchors whose visible text doesn't match the href apex. disguised-ad-flag collapses native advertorials (Sponsored / Paid Post) that share DOM shape with editorial. trust-badge-annotate and schema-trust-sanitize ship off by default while we assess their false-positive rates.

The daily-driver surprise

I've started running it on my own daily-driver browser, not just agent runs. There have been some funny quirks (e.g., flagging GitHub issue links with ".md" in the link text as suspicious and hiding the GitHub issue template modal). However, overall it's been a positive on my browsing experience. So, we'll be experimenting with making more annotations visible to humans and multi-modal LLMs.

⭐ https://github.com/pixiebrix/agent-browser-shield

Introducing agent-browser-shield (alpha): keeping AI agents safe in the browser

2026-06-01T00:00:00-04:00

There are 6 billion internet users. With AI agents, we're quickly heading to 60 to 600 billion "users" of the web.

How do we keep all those agents safe when they touch the browser?

At PixieBrix, we've spent years protecting BPO contact centers from insider risk, fraud, and social engineering in the browser.

Today, we're applying that defense to AI agents and making a free, source-available, browser extension available (on GitHub and ClawHub).

Your AI agent that lands on a fresh page is one prompt injection away from leaking credentials, one dark pattern away from buying the wrong thing, and one fake review away from a bad recommendation.

Agent Browser Shield sits between the browser and the agent. It blocks:

Prompt injection: visible or hidden instructions in page content
Dark patterns: manipulative UI designed to trick/coerce
Context pollution: low-value context that impairs instruction following

A useful side effect: stripping irrelevant content also cuts token burn.

Come join us on our mission. File issues, send PRs, or just tell me what you hate/love!

The threat surface for agentic browsing is evolving fast. Let's defend our AI assistants together!

⭐ Star the GitHub repo: https://github.com/pixiebrix/agent-browser-shield
🦞 Star the OpenClaw skill: https://clawhub.ai/pixiebrix/agent-browser-shield

Letting OpenClaw loose on Boston's open data

2026-05-30T00:00:00-04:00

Today was the Boston OpenClaw Hackathon, which had a theme of using the Boston open data hub.

For my project, I wanted to see how far OpenClaw could get on its own in analyzing the data (with Claude Sonnet 4.6 as a backing model).

First, I had OpenClaw connect itself to the MCP server, starting from the press release about the launch of the MCP server.

Once connected, I asked it to analyze contracts for signs of corruption. It was able to come up with its own approach for signals and queries. For example: "Departments Using the Most Limited Competition", "Top Vendors by Limited Competition Value", and "Bid Threshold Clustering (near $10K)".

After flagging companies, I had it analyze those companies' connections to city officials.

There were some interesting nuggets! For example, Capitol Waste Services was flagged as high risk for having $285M in historic contracts, of which $136M were awarded with limited competition.

The connection research flagged a 2015 fine of $120,000 by the Office of Campaign and Political Financing (OCPF) for illegal campaign donations.

From there, I had OpenClaw create and package a skill for flagging corruption signals. The skill encodes the queries and data analysis scripts it developed. That skill is available here: boston-contract-corruption.skill.

Some other interesting questions OpenClaw was able to answer from the data:

Which restaurants are the worst health code offenders but haven't been shut down yet?
Which roads/intersections are the worst for biking, based on pothole reports and accidents?

Overall, it was a fun experiment to see how AI agents might impact civic tech. A big thanks to the hackathon organizers, everyone who demoed, and the city of Boston for making this data available!

The agentic opportunity: value, not hours

2025-10-26T00:00:00-04:00

A fundamental mistake people make when assessing the agentic opportunity is a focus on hours (or FTEs) instead of value.

It's indisputable that agentic automation will reshape the number of human hours for processes like order-to-cash and compliance.

However, it fails to address what drives enterprise value (vs. COGS). Defensible enterprise value comes from empowering your people to be their best.

At PixieBrix, we're focused on helping companies create customer success and loyalty to win.

Where agentic work creates value isn't always where it saves the most hours.