SETUP GUIDE

The agent surface

Give OpenClaw a disposable browser.

Hand your agent a real browser it cannot escape. It spawns a fresh session, does the work, and burns it on close. Four steps. No Chromium on your machine.

Get started Docs

add the mcp server. scope a session. run. burn.

The walkthrough

Four steps. One throwaway browser.

Add the Legba MCP server, scope the session, run the agent, and burn it on close. The snippets below are copy-paste placeholders. Swap in your own key.

Add the Legba MCP server.
Point OpenClaw at the Legba MCP server. The agent reaches the browser as a tool, not as a local install. No Chromium on your machine. No driver to babysit.
What this does: registers Legba as a tool the agent can call.
terminal · add-mcpbash
```
# add Legba as an MCP server for the agent
npx @legba/mcp install --client openclaw

# or point at the hosted endpoint directly
export LEGBA_API_KEY="sk_live_..."
```
Scope the session.
Declare what the browser is allowed to reach. Pick a geography, set a TTL, and burn on close. The agent sees only what you scope, never your cookies or credentials.
What this does: bounds the blast radius before the agent runs.
openclaw.config.jsonjson
```
{
  "tools": {
    "legba": {
      "command": "npx",
      "args": ["@legba/mcp"],
      "env": { "LEGBA_API_KEY": "${LEGBA_API_KEY}" },
      "session": {
        "region": "us-east",
        "ttlSeconds": 600,
        "burnOnClose": true
      }
    }
  }
}
```
Run the agent.
Start OpenClaw with a task. The agent spawns a fresh browser, does the work, and reports back. A prompt injection has nowhere to go. The session is the boundary.
What this does: runs the agent against a real browser it cannot escape.
terminal · runbash
```
openclaw run \
  --config openclaw.config.json \
  --task "log in and export the invoice as PDF"

# the agent calls legba.spawn(), drives the page,
# then the session is destroyed when the task ends
```
Burn it on close.
The TTL hits or the task ends. Cookies, storage, tokens, and fingerprint are gone. Nothing escapes because nothing is left. Run the next task on a clean session.
What this does: leaves no trail after the agent finishes.
terminal · session lifecycletext
```
> session.spawn --burn-on-close
status: spawned
browser: chromium / real fingerprint
> task complete
> session.destroy
status: gone
```

The agent calls the browser through the MCP server. For every session param and the full lifecycle, read the docs.

cookie preferences

we value your privacy. accept all cookies?

acceptaccept1,438 partners

verify you are humanattempt 7 of 7humancheck

expires in 00:58privacy · terms

data exposedper session

typical · 2.4 mblegba · 0 b

trackers · live view2 active

you?

tracker_1

tracker_2

selection: emptymatch 0.0%

legba · sessionLIVE

> spawn session

fprotated · fresh

ipresidential · fra

tracenone · 0 bytes

> burn on close

uptime 00:12trace none

gated.example.com

403

access denied

automated traffic detected · ref 8841

200

access granted

via legba session · ref 8841

Access anything.
Expose nothing.

Legba is a disposable real browser: it spawns a clean session, does the work, and destroys itself on close.

Get started

Read the docs

chromium / real fingerprint · residential ip · burn on close

Chrome Plugin

OpenClaw

Adversary

Give OpenClaw a disposable browser.

Four steps. One throwaway browser.

Add the Legba MCP server.

Scope the session.

Run the agent.

Burn it on close.

Where to go next.

How the Legba MCP server works

Read the full setup reference

Run OpenClaw fully hosted instead

Access anything.Expose nothing.

Access anything.
Expose nothing.