Kimi WebBridge lets agents drive your browser: 3 guardrails for local browser agents

Moonshot AI shipped Kimi WebBridge in May 2026: a Chrome and Edge extension that lets an AI agent drive your browser. It clicks, scrolls, fills forms, and walks multi-step flows. Unlike cloud-rendered browser agents, WebBridge runs in your own browser session. Your cookies, your sessions, your local storage; the cloud sees the agent's reasoning but not your auth state.

That model removes a real class of risk (no session token ever leaves your machine) and creates a new one (the agent inherits every authenticated session you have). If it follows a redirect chain to a credential harvester, the harvester does not see Moonshot's IP; it sees yours, with your cookies attached.

The fix is not "do not use browser agents." The fix is a thin policy layer that wraps the agent's navigate, click, and submit primitives, runs three checks at the right moments, and returns structured allow or deny verdicts. Here is the 50 lines and the three API calls that matter.

Where browser agents go wrong

Failure mode	Trigger	Catch point
Lookalike domain	Agent reads a phishing link from page content	Phishing check on navigate
Shortened URL hides destination	Agent follows bit.ly from a chat or doc	URL expand before navigate
Form submit leaks PII	Agent fills a form with auto-suggested values	PII scan on submit payload
Clipboard auto-fill	Password manager fills the wrong field	PII scan on clipboard before paste
Consent screen click-through	Agent clicks "Allow" on a malicious consent flow	Allowlist of OAuth provider hosts

Each row resolves to one API call at one moment in the agent loop. The pattern is the same every time: do not let the agent take an action whose blast radius you cannot afford to lose.

Guardrail 1: expand shorteners and check the final URL

A shortened URL is unsafe by definition; you do not know what it resolves to. Before the agent navigates, expand the URL and check the final destination. Both fit in one call each:

curl -X POST https://api.botoi.com/v1/url-metadata \
  -H "Content-Type: application/json" \
  -d '{"url": "https://bit.ly/3xJ2k9q"}'

{
  "data": {
    "input_url": "https://bit.ly/3xJ2k9q",
    "final_url": "https://login-acme.secure-verify.net/sign-in",
    "redirect_chain": [
      "https://bit.ly/3xJ2k9q",
      "https://tinyurl.com/y4nx2q",
      "https://login-acme.secure-verify.net/sign-in"
    ],
    "title": "Sign in to Acme",
    "status": 200
  }
}

The response includes the full redirect chain. Feed the final URL into the phishing check:

curl -X POST https://api.botoi.com/v1/phishing/check \
  -H "Content-Type: application/json" \
  -d '{"url": "https://login-acme.secure-verify.net/sign-in"}'

{
  "data": {
    "url": "https://login-acme.secure-verify.net/sign-in",
    "verdict": "phishing",
    "score": 0.94,
    "signals": [
      "lookalike_to: acme.com",
      "deceptive_subdomain",
      "no_brand_match_on_cert"
    ]
  }
}

A verdict of phishing on a lookalike subdomain means the agent never navigates. Return the verdict reason so the agent can suggest the legitimate domain instead of failing opaquely.

Guardrail 2: PII scan on every form submit

Browser agents fill forms fast. They also fill them wrong. An agent that pastes a clipboard value into the "company name" field when your password manager just auto-suggested a credit card is one keystroke away from submitting that card to a random merchant.

Scan the serialized form payload through PII detection before the submit fires. Allow expected fields (emails, phones, addresses for a shipping form); block restricted ones (SSNs, credit cards, passport numbers, AWS keys) and surface the field name so the agent can correct itself.

Guardrail 3: a fixed allowlist for sensitive surfaces

OAuth consent screens, payment confirmations, and admin panels never need to live behind a short link or a lookalike host. Keep a small allowlist of providers (your IdP, your payment processor, your CMS) and require explicit user confirmation before the agent acts on anything that matches a sensitive selector outside the allowlist.

Boring, finite, effective. The agent stays fast on the long tail of low-risk tasks (search, summarize, comparison shop) and pauses for a human on the few that matter.

The 50-line policy layer

Wire the three checks into a single function that the agent's navigate, click, and submit primitives call before acting. It runs in the page context, so it has full access to the form data and the proposed URL:

// Inject this into the page via the WebBridge extension's content script API.
// It hooks the agent's navigate, click, and submit primitives.
const trustedHosts = new Set([
  "github.com", "docs.anthropic.com", "api.botoi.com", "moonshot.cn",
]);

async function policy(action, payload) {
  if (action === "navigate") {
    const host = new URL(payload.url).hostname;
    if (trustedHosts.has(host)) return { allow: true };

    // Expand shorteners and follow redirects before the agent moves
    const meta = await fetch("https://api.botoi.com/v1/url-metadata", {
      method: "POST",
      headers: { "Content-Type": "application/json", "X-API-Key": KEY },
      body: JSON.stringify({ url: payload.url }),
    }).then((r) => r.json());

    const final = meta.data?.final_url ?? payload.url;
    const verdict = await phishingCheck(final);
    return verdict.verdict === "clean"
      ? { allow: true, final_url: final }
      : { allow: false, reason: `url verdict ${verdict.verdict}` };
  }

  if (action === "submit") {
    const scan = await fetch("https://api.botoi.com/v1/pii/detect", {
      method: "POST",
      headers: { "Content-Type": "application/json", "X-API-Key": KEY },
      body: JSON.stringify({ text: JSON.stringify(payload.fields) }),
    }).then((r) => r.json());

    const restricted = scan.data?.matches?.filter(
      (m) => ["ssn", "credit_card", "passport", "aws_secret_key"].includes(m.type),
    );
    if (restricted?.length) {
      return { allow: false, reason: `form contains ${restricted.length} restricted fields` };
    }
  }

  return { allow: true };
}

The trusted host set is your safety net for high-traffic destinations. The URL metadata call handles shorteners and redirect chains. The PII scan handles form submits. Add a clipboard intercept that runs the same PII detector before paste, and you have closed the four highest- risk failure modes in under a hundred lines.

Where local browser agents fit alongside cloud ones

Local browser agents (Kimi WebBridge, the upcoming Claude in Chrome enterprise build) trade cloud convenience for session locality. Cloud browser agents (OpenAI Operator, Anthropic Computer Use) trade locality for centralized observability. Use them differently:

• Local agent: tasks that touch your authenticated sessions (email triage, internal dashboards, personal banking) where the session cannot leave the device.
• Cloud agent: tasks on public sites or sandboxed accounts (research, lead gen, public records) where centralized logging and replay are worth the session export.

The guardrails in this post apply to both. The difference is the policy layer location: in the extension for local agents, at the proxy for cloud ones. The API calls and the allow or deny logic are identical.

Key takeaways

• Local browser agents inherit your sessions. Cookies stay on device; blast radius expands. The agent acts as you on every site you are logged into.
• Expand shorteners before navigation. Bit.ly and friends hide the destination. One API call returns the redirect chain and final URL.
• Phishing-check every untrusted destination. Lookalike subdomains and deceptive certificates score high; treat anything above clean as a block.
• PII-scan every form submit. Auto-fill mistakes are the most common way browser agents leak credentials and cards. Block restricted fields at the policy layer.
• Fixed allowlist for sensitive surfaces. OAuth, payments, and admin panels live on known hosts. Require explicit confirmation for anything outside the allowlist.

Botoi exposes /v1/phishing/check, /v1/url-metadata, /v1/redirect/trace, and /v1/pii/detect behind one API key with 5 req/min free. Wire them into your browser agent's policy layer, or mount the botoi MCP server so an MCP-aware agent can call them directly. Start at the interactive docs.