AI Browser Guard Is Now on the Chrome Web Store
Browsers Have No Agent Visibility
AI agents are already operating inside browsers. Playwright, Puppeteer, and Selenium have been doing it for years through testing automation. Now a new wave — Anthropic Computer Use, OpenAI Operator, browser-use, and dozens of MCP-based tools — connects to real browser sessions to perform tasks on behalf of users.
Chrome has no built-in mechanism to answer three basic questions:
Is an agent controlling my browser right now? Chrome does not surface CDP connections, WebDriver flags, or automation markers to the user. An agent can navigate to your bank, fill out forms, and submit them without any visible indicator.
What is the agent doing? There is no session log, no audit trail, no record of which pages were visited, which forms were submitted, or which data was read. When an agent finishes, the evidence of what happened is gone.
How do I stop it? If an agent starts doing something unexpected, the only option today is to close the browser entirely. There is no scoped kill switch — no way to revoke just the agent's access while keeping your tabs open.
This is not a theoretical risk. Computer Use agents take screenshots and click coordinates on your actual desktop. Browser-use agents navigate real websites with your cookies and saved passwords. MCP browser tools read DOM content from pages you are logged into. If any of these agents are compromised, misconfigured, or given too broad a task, they have full access to everything your browser session can reach.
The gap is straightforward: browsers were built for human users and have no concept of delegated agent access. AI Browser Guard adds that layer.
What AI Browser Guard Does
AI Browser Guard is a Chrome Manifest V3 extension that detects automation frameworks through multiple independent signals and gives you tools to manage what agents can do. It runs entirely in the browser with zero network requests — no cloud, no analytics, no data leaving your machine.
Five Core Features
1. Agent Takeover Detection
Detects automation frameworks without requiring agents to identify themselves. Uses WebDriver flag detection, CDP connection scanning, behavioral heuristics (click precision, typing cadence, synthetic events), and framework-specific fingerprinting. Works against Playwright, Puppeteer, Selenium, Computer Use, Operator, and generic CDP/WebDriver connections.
2. Emergency Kill Switch
One-click termination of all agent access. Clears automation flags, revokes delegated permissions, and broadcasts stop commands to all tabs. Keyboard shortcut: Ctrl+Shift+K (Cmd+Shift+K on Mac).
3. Delegation Wizard
Define what agents can do before they connect. Three presets: Read-Only (navigate and read only), Limited (specific sites, time-bounded at 15min/1hr/4hr), and Full Access (everything allowed with logging). Supports site allowlists and blocklists with glob patterns.
4. Boundary Violation Alerts
Fail-closed rule evaluation blocks unauthorized actions before they execute. Each violation generates a Chrome notification showing what was attempted, which rule blocked it, and an option to allow the action once.
5. Session Timeline
Chronological log of every agent action per session. Each entry includes timestamp, action type, target URL, target element (CSS selector), and outcome (allowed or blocked). Last 5 sessions retained locally.
Privacy: Zero Network Requests
AI Browser Guard makes zero external network requests. No analytics, no telemetry, no crash reports. All detection, delegation evaluation, and session logging happens locally in the browser. Data is stored in chrome.storage.local and deleted when you uninstall.
The full source code is available at github.com/opena2a-org/AI-BrowserGuard under the Apache-2.0 license. Audit every line.
Permissions
storage— Persist sessions, rules, and settings locallyalarms— Delegation expiration timersnotifications— Boundary violation alertshost_permissions (<all_urls>)— Content scripts must run on every page to detect agents on any site
Building from Source
$ git clone https://github.com/opena2a-org/AI-BrowserGuard.git
$ cd AI-BrowserGuard
$ npm install
$ npm run build
$ npm run test # 239 tests
# Load dist/ as unpacked extension in chrome://extensionsWhat Comes Next
AI Browser Guard today works standalone — no account, no infrastructure, no dependency on anything else. That is intentional. The first job is detection and control for individual users.
The next phase connects it to the broader OpenA2A platform:
AIM integration for cryptographic agent identity verification. Right now the extension can detect that an agent is present, but it cannot verify who issued it, what it is authorized to do, or whether its capability manifest is signed. AIM (Agent Identity Management) provides exactly that — cryptographic identity, capability-based access control, and a signed audit trail. When a browser agent presents an AIM identity token, the extension will be able to verify it against the registry rather than relying on behavioral heuristics alone.
Registry trust scores for detected agents. OpenA2A's Registry currently tracks 16,900+ MCP servers and 78,000+ AI packages, each with a security score derived from HackMyAgent scans. Browser agents that connect to known MCP servers will surface that trust context directly in the extension popup — so you can see not just that an agent is present, but whether the tools it's using have been scanned, flagged, or verified.
Enhanced behavioral analysis for new frameworks. Detection signatures for browser-use, WebMCP (Chrome 146), and other emerging protocols are in active development.
Exportable session reports for compliance and audit use cases.
About OpenA2A
AI Browser Guard is one part of OpenA2A, an open-source security platform for AI agents. AI agents are already making decisions, calling APIs, and accessing production data — without identity, visibility, or accountability. One compromised or misaligned agent can silently exfiltrate data, escalate privileges, or delete critical systems, and most organizations won't notice until damage is done.
OpenA2A builds the infrastructure to close that gap. 4 npm packages published. 17K+ downloads across the ecosystem. 8 security PRs accepted into OpenClaw (205K+ stars). 2,500+ lines of security code merged into projects used by millions.
The full ecosystem:
Security scanner with 147 security checks across prompt injection, tool poisoning, credential exposure, path traversal, privilege escalation, and more. Runs against live agents and MCP servers. npx hackmyagent secure
Prevents AI coding tools (Claude Code, Cursor, Copilot, Windsurf) from reading .env files, SSH keys, and API credentials during context gathering. npx secretless-ai init
AIM (Agent Identity Management)
Cryptographic identity issuance, capability-based access control, trust scoring, and audit trails for AI agents. The identity layer that existing IAM infrastructure was not built to handle.
ARP (Agent Runtime Protection)
Runtime monitoring of agent process execution, network calls, and filesystem access. Treats model output as untrusted input verified against a signed capability manifest.
OASB (Open Agent Security Benchmark)
222 standardized attack scenarios across 10 MITRE ATLAS techniques. The machine-scannable compliance standard the industry does not yet have.
Live security intelligence across 16,900+ MCP servers and 78,000+ AI packages. The largest known collection of MCP server data, with trust scores derived from automated scanning.
DVAA (Damn Vulnerable AI Agent)
Intentionally vulnerable agents for security training and red-teaming. The DVWA equivalent for the AI agent attack surface.
AI agents should be powerful — but never unaccountable.