- Why Browser and Computer-Use Agents Need a Sandbox
- What To Isolate In A Browser Session
- How To Handle Cookies, Accounts, And Credentials
- How To Contain Downloads, Files, And Clipboard Data
- How To Log DOM Actions, Screenshots, And Replay Trails
- How To Set Network, Approval, And Reset Boundaries
- How Novita Agent Sandbox Fits This Evaluation
- Browser And Computer-Use Sandbox Checklist
- FAQ
Browser and computer-use sandboxes should isolate sessions, filesystem and downloads, credentials, cookies, network access, tool actions, screenshots and recordings, logs, and reset state so AI agents cannot silently expand their trust boundary while operating websites, applications, and files.
Why Browser and Computer-Use Agents Need a Sandbox
Browser-use and computer-use agents are different from ordinary chatbots. They do not just answer a question; they click, type, download files, read web pages, fill forms, and sometimes operate a full desktop-like environment. That makes the runtime part of the security model.
A text-only assistant can produce a bad answer. A browser or computer-use agent can take a bad action. It might submit a form, leak a session cookie into a log, download an unsafe file, overwrite a workspace, follow a prompt injection hidden in a webpage, or use a credential in a context where it should not be available.
The sandbox is the place where those actions are constrained. It should answer practical questions such as:
- Which account is the browser logged into?
- Which files can the agent read or write?
- Which domains can the agent contact?
- Which cookies and tokens persist after the task?
- Which clicks, commands, screenshots, and file changes can be reviewed later?
- What is destroyed when the task ends?
The goal is not to pretend a sandbox removes every risk. The goal is to make the agent’s operating environment narrow, observable, and resettable. When a model or tool makes the wrong decision, the blast radius should be limited to the session and resources you intentionally exposed.
What To Isolate In A Browser Session
Start with the browser profile. A browser agent should not use a developer’s daily browser profile, personal extensions, saved passwords, persistent cookies, or unmanaged download directory. Give each task, user, or workflow its own profile boundary unless there is a deliberate reason to share state.
At minimum, evaluate whether the sandbox separates:
| Boundary | What can go wrong without it | What to check |
|---|---|---|
| Browser profile | The agent inherits unrelated logins, extensions, cookies, autofill, or browsing history. | Per-task or per-user profiles, explicit persistence rules, extension controls. |
| Session lifecycle | A previous task’s state changes the next task’s result. | Fresh session creation, snapshot restore, cleanup, and expiry behavior. |
| Tabs and windows | The agent reads or clicks content from the wrong context. | Tab scoping, active-window tracking, and event logs. |
| Browser storage | LocalStorage, IndexedDB, cache, and service workers persist sensitive state. | Storage reset, export rules, and domain-scoped cleanup. |
| Downloads | Files from the web land in a shared directory. | Isolated download folder, file type policy, malware scanning workflow where required. |
Treat the browser as a workspace, not a disposable UI wrapper. Modern web applications keep meaningful state in cookies, local storage, caches, service workers, background requests, and downloaded files. If the sandbox only opens a browser window but does not define what happens to that state, the isolation boundary is incomplete.
For computer-use environments, the same principle extends beyond the browser. The agent may interact with a terminal, file manager, document editor, local preview server, or GUI application. That environment needs a scoped home directory, clear mount points, and a way to separate task artifacts from runtime internals.
How To Handle Cookies, Accounts, And Credentials
Cookies and logged-in accounts are often the most sensitive part of browser automation. A browser agent with a valid session can perform whatever the account is allowed to do, even if the model never sees the raw password.
Use a separate account for agent work where possible. The account should have the minimum permissions needed for the workflow, and the sandbox should make it clear whether cookies are injected, created during login, persisted between runs, or destroyed after completion.
Credential handling needs a stricter rule: never give the agent broad secrets just because a website might ask for them. Prefer scoped, time-limited tokens; per-workflow credentials; and brokered access where the agent calls a narrow tool rather than reading a raw secret. If a secret must be available inside the sandbox, decide whether it appears as an environment variable, mounted file, browser credential, or tool-only capability.
Watch for these anti-patterns:
- A shared browser profile with personal or admin cookies.
- Secrets pasted into a page by the model without approval.
- API keys available to all tools in the sandbox.
- Session cookies captured in full-page screenshots or debug logs.
- Form autofill enabled for production accounts.
- Long-lived credentials left in downloaded files, shell history, or browser storage.
OWASP’s guidance for LLM applications highlights prompt injection and excessive agency as recurring risks in agentic systems. For browser agents, those risks meet the web directly: a page can contain instructions that try to influence the model, and the model may have tools that perform real actions. Isolation gives you a second line of defense when instruction-following is not enough.
How To Contain Downloads, Files, And Clipboard Data
Downloads are a trust boundary. A browser agent may save PDFs, spreadsheets, archives, screenshots, invoices, build artifacts, or executable files. Those files should land in a sandbox-owned directory, not a shared desktop folder or a production workspace.
A practical download policy should cover:
- Allowed file types and maximum file size.
- Whether downloaded files can be opened automatically.
- Whether files can be uploaded to another site.
- How files are scanned, hashed, or logged.
- Which files are exported from the sandbox at the end of the run.
- How temporary files are deleted.
For computer-use agents, file boundaries matter even more because the agent may create or modify local files as part of the task. A coding agent might edit a repository. A data agent might create charts. A browser agent might download a CSV, transform it, and upload a result. Each path should be explicit: where inputs arrive, where working files live, where approved outputs are exported, and what gets wiped.
Clipboard access deserves its own decision. It is convenient for GUI automation, but it can also move sensitive text between unrelated applications. If the agent can read the clipboard, it may see a token copied by a human a few seconds earlier. If it can write the clipboard, it may affect the human’s next paste action. In sensitive workflows, make clipboard access session-local or require explicit approval before crossing the human-sandbox boundary.
Screen interaction has a similar issue. Computer-use agents work from screenshots, accessibility trees, or rendered UI state. Screenshots can include private data, account names, tokens, document text, or customer records. Decide whether screenshots are retained, redacted, streamed to a model provider, or stored for replay. Do not treat them as harmless debugging images.
How To Log DOM Actions, Screenshots, And Replay Trails
A browser sandbox should make actions reviewable. When an agent clicks a button or submits a form, a security team or developer should be able to reconstruct what happened without guessing from the final result.
For browser automation, useful logs include:
- URL and origin visited.
- DOM selector or accessibility target used for each action.
- Text typed, with secret redaction.
- Form submission events.
- Downloads started and completed.
- Network requests at the domain or endpoint level.
- Console errors and page errors.
- Screenshot checkpoints before or after sensitive steps.
For computer-use automation, add tool calls, process starts, shell commands, file reads and writes, window focus changes, and exported artifacts. The log should distinguish what the model requested, what the automation layer executed, and what the environment returned. That distinction matters when debugging prompt injection, flaky UI behavior, or a tool wrapper bug.
Replay is helpful, but it changes the data-retention question. A full replay trail may include screenshots, page text, form content, filenames, terminal output, and credentials unless redaction is built in. Decide up front who can access replays, how long they are retained, and whether sensitive values are masked before storage.
The right level of detail depends on the workflow. A public price-monitoring agent may need lightweight logs. An agent that touches customer accounts, billing pages, infrastructure consoles, or internal tools needs stronger audit trails and stricter retention controls.
How To Set Network, Approval, And Reset Boundaries
Network access is where a browser sandbox can quietly expand. A task may start with one website, then load third-party scripts, follow redirects, call APIs, download packages, or reach internal domains. If the sandbox has broad outbound access, the agent can move data to places the application owner did not expect.
For browser and computer-use agents, consider:
- Domain allowlists for expected web destinations.
- Blocks for internal metadata services and private network ranges.
- Separate policy for package registries, object storage, and web search.
- DNS logging where security review requires it.
- Egress logs that can be tied back to a session and task.
Human approval should sit in front of actions that are hard to undo or legally meaningful. Examples include submitting purchases, sending messages, changing account settings, deleting files, rotating credentials, inviting users, opening support tickets, or uploading customer data. The approval event should capture what the agent intends to do, the page or file involved, and the exact action approved.
Reset behavior is the final boundary. A good sandbox should make it obvious what happens when a task ends:
| State | Reset question |
|---|---|
| Browser cookies | Are they destroyed, persisted, or checkpointed? |
| Browser storage | Is cache, local storage, IndexedDB, and service worker state cleared? |
| Downloads | Are files deleted, retained for review, or exported to a controlled location? |
| Credentials | Are tokens revoked, rotated, or removed from the environment? |
| Logs and replay | What is retained, redacted, and for how long? |
| Network access | Are temporary allowlists or proxy credentials removed? |
| Filesystem | Is the workspace wiped, snapshotted, or reused? |
Persistent sessions are useful for long-running agents, but persistence should be intentional. If a browser profile, filesystem, or process state survives across runs, document why it persists and who can reset it.
How Novita Agent Sandbox Fits This Evaluation
Novita Agent Sandbox is designed for running AI agent workloads in isolated cloud environments. The product page describes support for code execution, browser use, computer use, persistent sessions, live session viewing, and reusable templates. The Novita Agent Sandbox quickstart documentation shows how developers can create a sandbox, run commands, work with files, and manage a sandbox through SDKs.
Those capabilities make Novita relevant when you are evaluating browser-agent, coding-agent, data-analysis, and long-running agent workflows. The evaluation still needs to be specific to your threat model. Before using any sandbox provider for sensitive browser or computer-use automation, confirm the exact behavior you need around browser profiles, cookies, credential injection, network egress, screenshot retention, file export, logs, and reset semantics.
For teams already using Novita AI models, the practical advantage is operational fit: inference and agent execution can be planned within the same builder platform instead of treated as separate infrastructure decisions. Keep product claims separate from security assumptions, though. A sandbox can provide useful isolation and lifecycle controls, but your application still needs least-privilege accounts, scoped credentials, approval gates, and audit rules for the actions your agent performs.
Browser And Computer-Use Sandbox Checklist
Use this checklist before giving an agent access to a real website, account, or desktop-like workspace.
| Area | Evaluation question |
|---|---|
| Session | Does each task get an isolated browser profile or workspace? |
| Accounts | Is the agent using a least-privilege account rather than a human’s main account? |
| Cookies | Are cookies scoped, persisted intentionally, and cleared on reset? |
| Credentials | Are secrets scoped, time-limited, redacted in logs, and unavailable to unrelated tools? |
| Downloads | Do files stay inside a sandbox-owned directory until explicitly exported? |
| Clipboard | Can the agent read or write the human clipboard, or only a session-local clipboard? |
| Screenshots | Are screenshots retained, redacted, and access-controlled? |
| DOM actions | Are clicks, typed text, forms, selectors, and page origins logged? |
| Tool calls | Can you separate model intent from executed tool action? |
| Network | Are domains, private ranges, package registries, and DNS behavior controlled? |
| Approval | Which actions require a human confirmation step? |
| Reset | What exactly is wiped, retained, revoked, or snapshotted after the run? |
| Incident review | Can you reconstruct what happened from logs, files, network events, and replay? |
FAQ
What is the difference between a browser sandbox and a computer-use sandbox?
A browser sandbox constrains what a web browser can do: which profiles, cookies, and storage are available, which domains the browser can contact, and which downloads are allowed. A computer-use sandbox is broader and covers a full desktop-like environment — terminal access, file managers, GUI applications, and local processes in addition to the browser. Both share the same core concerns around reset, logging, credential scoping, and least-privilege accounts, but computer-use environments require additional decisions around mounted directories, clipboard access, screen data, and process isolation.
Do I need a separate browser profile for every agent task?
In most cases, yes. Sharing a profile across tasks means one task can see cookies, logins, saved passwords, and browser storage left by another. Per-task profiles are the simplest way to prevent unintended state carryover. If your workflow requires session persistence — for example, a long-running agent that picks up where it left off — make the persistence explicit and document exactly what state carries over and why.
Can AI agents safely handle credentials inside a sandbox?
Credentials are safer inside a sandbox than in an uncontrolled environment, but the sandbox alone does not make credential handling safe. The main risks are overexposure (giving the agent more access than the task requires), leakage (credentials appearing in logs, screenshots, or debug output), and persistence (tokens or cookies remaining available after the task ends). Prefer scoped, time-limited credentials; broker access through narrow tool calls rather than raw secrets; and confirm that logs and screenshots redact sensitive values before storage.
What happens if an AI agent downloads a malicious file?
The sandbox download policy determines the blast radius. If downloads are isolated to a sandbox-owned directory, auto-opening is disabled, and file type restrictions are in place, a downloaded file cannot run automatically or reach the broader filesystem. Without those controls, a malicious file could execute, reach shared directories, or be uploaded elsewhere before a human reviews it. Treat downloads as potentially untrusted input and define explicit policies for which file types are allowed, whether they can be opened within the sandbox, and how they are scanned or logged.
How do I detect prompt injection in a browser agent?
Prompt injection from a webpage is hard to detect reliably at the model layer. Sandboxing is one of the main defensive controls because it limits what the agent can do even if a malicious instruction is followed. Practical signals include unexpected tool calls or navigations, actions outside the intended domain, unusual form submissions, and attempts to retrieve or transmit credentials or session data. Good DOM action logs — recording what page was visited, which selectors were targeted, and what text was typed — make it easier to reconstruct whether a page influenced the agent’s behavior.
Does using a sandbox mean my agent is secure?
A sandbox narrows the blast radius but does not eliminate risk. It constrains what the agent can reach and what survives a reset, but it does not prevent bad model decisions, misconfigured credentials, or application-level vulnerabilities. Security depends on layered controls: least-privilege accounts, scoped credentials, approval gates for irreversible actions, audit logs that capture model intent and executed actions, and human review before sensitive workflows reach production. A sandbox is one layer, not the full answer.
How long should screenshots and replay data be retained?
Retention depends on the sensitivity of the workflow and your audit requirements. For agents that touch personal data, billing systems, customer accounts, or internal tools, a defined retention window with access controls and redaction of sensitive values (tokens, form content, visible credentials) is a reasonable baseline. For low-sensitivity workflows, shorter retention or summary-only logging may be appropriate. Decide before deployment who can access replays, how long they are kept, and how they are deleted. Avoid treating screenshots as harmless debug artifacts — they often contain more sensitive data than structured logs.
Which agent actions should always require human approval?
Actions that are hard to reverse or legally meaningful are the clearest candidates: purchases, account setting changes, file deletions, credential rotation, user invitations, support ticket submissions, and uploads of customer or regulated data. Beyond those, consider requiring approval for any action outside the agent’s original task scope, any action on a domain or account not anticipated at the start of the run, and any download or execution of files the task did not explicitly require. The approval event should record what the agent intended to do and what the human explicitly confirmed.
