Headless sandbox

Playwright/Puppeteer in Docker. No shared cookies with real browser. Ephemeral profile per session.

Advertisement

DOM extraction

Extract text via accessibility tree, not raw HTML. Reduces injection surface. Structured DOM.

Advertisement

Injection filter

Classifier on extracted content before feeding LLM. Delimit as untrusted.

Screenshot risk

Multi-modal agents read text in screenshots. Injection via image text (text-in-image). OCR-aware filter.