Can an AI agent use my logged-in browser safely?

Yes — when the agent is off by default, scoped per tab, gated by per-action approval, and blocked from your raw credentials. SafeCoBrowser provides exactly that: the agent only gets permission-gated tools, never your cookies, passwords, or profile, and you can revoke instantly with Stop AI.

Can I hide cookies and tokens from AI agents?

Yes, two ways. The agent never receives your cookie store or profile in the first place — it only gets brokered tools. On top of that, a privacy filter lets you redact cookies, tokens, and any sensitive pattern from what the agent sees on screen, in screenshots, and in page reads.

Can AI click buttons without seeing passwords?

Yes. In Assist mode the agent clicks and fills by selector; the value it fills is never logged, password fields are masked when recording, and it does not need to read a password to fill or submit a login. Only Developer mode (run JavaScript) is full page control — grant it only when you trust the script.

Can I approve or block browser actions?

Yes. Every click, fill, and script shows an approval card with the concrete effect, and the agent's call blocks until you approve or reject. Stop AI revokes all access instantly, and every decision is recorded in the audit log.

Does the AI ever get my passwords or cookies?

No. The agent only receives permission-gated, brokered tools. It never gets your saved passwords, your cookie database, or the browser profile directory.

What happens when I press Stop AI?

It revokes the grant immediately by bumping a session epoch that handlers re-check at execution time, so any in-flight action and all future calls fail closed. The agent is blind again until you grant a mode anew.

AI agent browser security: using a logged-in browser safely

SafeCoBrowser is an open-source AI co-browsing browser for macOS that lets you bring Claude Code, Codex, or any MCP agent into your logged-in browser — only when you allow it, per tab, with an instant kill switch and a full audit log.

Can an AI agent use your logged-in browser safely?

Yes — if the agent is off by default, scoped to one tab at a time, gated by per-action approval, and unable to reach your raw credentials. That is exactly how SafeCoBrowser is built. SafeCoBrowser is an open-source AI co-browsing browser for macOS that lets you bring Claude Code, Codex, or any MCP agent into your logged-in browser — only when you allow it, per tab, with an instant kill switch and a full audit log.

The permission model

The agent starts with zero visibility. You grant a mode per tab, and enabling it never exposes what happened earlier (like your login) — there is no retroactive leak. "Stop AI" bumps a session epoch checked at execution time, so in-flight and future agent calls fail closed immediately.

Off — the default; the agent sees nothing.
Read — read the page: URL, text, links, screenshots.
Inspect — inspect elements, read the console and network.
Assist — click and fill, each action behind your approval.
Developer — run JavaScript in the page, always approved.

Hiding cookies, tokens, and secrets from the agent

Two layers. First, a hard boundary: the agent only ever receives brokered, permission-gated tools — never your cookie store, saved passwords, or the browser profile on disk. Second, a best-effort privacy filter: user-defined match→label rules redact cookies, tokens, account numbers, or any pattern in the page DOM, so the redaction covers the screen, screenshots, and what the agent reads. Note that Developer mode (run JavaScript) is full page control and can read page state — grant it only when you trust the script shown in the approval card.

Can the AI click without seeing passwords?

Yes. In Assist mode the agent acts by selector — it can click a button or fill and submit a field without reading the secret back. The value of a fill is never logged (only the field is), and password and other sensitive fields are masked when recording. The agent does not need to see a password to complete a login you set up.

Approve, block, and revoke every action

Click, fill, and run-JavaScript each require approval: you see the concrete effect (the selector, or the exact script) and your call blocks until you decide. Optional per-tab auto-approve lets trusted actions through — still logged. Stop AI revokes instantly, and everything lands in an exportable, hash-chained audit log.

What the agent can never reach

Your cookie database and session tokens on disk.
Your saved passwords.
The browser profile directory.
Other tabs you didn't grant, or anything from before you enabled access.

FAQ

Can an AI agent use my logged-in browser safely?: Yes — when the agent is off by default, scoped per tab, gated by per-action approval, and blocked from your raw credentials. SafeCoBrowser provides exactly that: the agent only gets permission-gated tools, never your cookies, passwords, or profile, and you can revoke instantly with Stop AI.
Can I hide cookies and tokens from AI agents?: Yes, two ways. The agent never receives your cookie store or profile in the first place — it only gets brokered tools. On top of that, a privacy filter lets you redact cookies, tokens, and any sensitive pattern from what the agent sees on screen, in screenshots, and in page reads.
Can AI click buttons without seeing passwords?: Yes. In Assist mode the agent clicks and fills by selector; the value it fills is never logged, password fields are masked when recording, and it does not need to read a password to fill or submit a login. Only Developer mode (run JavaScript) is full page control — grant it only when you trust the script.
Can I approve or block browser actions?: Yes. Every click, fill, and script shows an approval card with the concrete effect, and the agent's call blocks until you approve or reject. Stop AI revokes all access instantly, and every decision is recorded in the audit log.
Does the AI ever get my passwords or cookies?: No. The agent only receives permission-gated, brokered tools. It never gets your saved passwords, your cookie database, or the browser profile directory.
What happens when I press Stop AI?: It revokes the grant immediately by bumping a session epoch that handlers re-check at execution time, so any in-flight action and all future calls fail closed. The agent is blind again until you grant a mode anew.

Download for macOS Read the docs

Linux (x64): AppImage · tar.gz