Browser agents should not
authorize their own clicks.
Decision before side effects.
Stop your Playwright/Puppeteer agents from making unauthorized purchases or navigating to unsafe domains.
Add ALLOW / REQUIRE_CONFIRM / BLOCK before critical browser interactions.
Automating clicks is easy. Controlling them is hard.
Browser execution is inherently dangerous. Letting an agent surf the web autonomously exposes you to:
Instructing an agent "do not buy anything" relies on its reading comprehension. If it clicks checkout, it's already too late.
Agents can follow external links to phishing or out-of-scope domains without explicit constraints.
Agents mistakenly logging out or mutating authentication states interrupt automations across your system.
Deterministic interception layer.
Safe local navigation or reading data payload proceeds without friction.
Payment forms, destructive mutations, and auth changes pause for approval.
Blacklisted domains or out-of-scope interactions are denied outright.
Wrap your browser abstraction.
# before — autonomous risk def buy_item(page, selector): page.click(selector) # after — execute under authority def buy_item(page, selector): intent = kilu.check_intent(action="browser.click", target=selector) if intent.outcome == "ALLOW": page.click(selector) elif intent.outcome == "REQUIRE_CONFIRM": wait_for_human(intent.id) else: raise Exception("Click Denied")
Browser Safety Approaches
| Approach | What it does | What it misses |
|---|---|---|
| System Prompts | Instructs model not to click on bad things | Model hallucination = vulnerability |
| DOM masking | Hides buttons from model vision | Brittle. Breaks when DOM changes |
| KiLu integration | Requires token decision per click/nav | Bulletproof authority before side effects |