Indirect prompt injection.
A computer-use agent reads the web to do its job. Hidden instructions on a page or in a document can hijack it, the same way a phishing email targets a person. The agent follows the attacker, not you.
For computer-use agentsContainment first
Run Claude computer usesafely.
Computer-use agents read the web to act. That makes them targets for prompt injection. Legba runs the agent in a disposable sandbox, isolated from your credentials, cookies, and machine, and destroyed on close. A hijacked agent reaches nothing it should not.
- No CLI, no Docker, no keys
- Burn on close
- OpenClaw live now
BoundaryOn machine → in sandbox
ExposedOn machine
Full access
Credentials, cookies, files, network.
ContainedIn sandbox
Task only
Isolated session, destroyed on close.
The risk,
in plain terms.
A computer-use agent acts on what it reads. When the page is hostile, the agent can be too. The question is what it can reach when that happens.
Your machine is the blast radius.
Run that agent on your laptop and it inherits your access. Saved passwords, logged-in cookies, local files, SSH keys, and your internal network are all reachable. A hijack becomes a breach.
Persistence makes it worse.
Cookies and tokens left on disk outlive the task. A later run, or a later attacker, picks up where the last one stopped. The session never really ends, so the risk never really ends.
The mechanism → Read how indirect prompt injection hijacks an agent through content it reads, or the broader prompt injection explainer.
How Legba
contains it.
Containment does not stop an agent from being tricked. It limits what a tricked agent can touch. The blast radius ends at a disposable session.
The agent runs off your machine.
Every run spawns a clean, isolated session in the cloud. The agent gets a real browser and the task. It never touches your device, your stack, or your network.
Nothing is carried in.
No credentials, no cookies, no fingerprint from a past session. Each run starts fresh, so a hijacked agent has nothing of yours to find inside the sandbox.
The session is destroyed on close.
One click ends the run and the whole environment is gone. No lingering tokens, no state for a later attacker to inherit. The blast radius closes with the session.
Pick it. Run it.
Destroy it.
No CLI, no Docker, no API keys. Start the agent in the browser, let it work in isolation, and burn the session when it is done.
Pick the agent.
Choose a pre-loaded template. OpenClaw is live now. SWE-Agent and OpenHands are coming next. No install, no config, no API keys.
Run it contained.
The agent gets full access inside the isolated sandbox. It never sees your credentials, cookies, or machine. An injection attempt has nowhere to go.
Destroy it.
One click and the environment is gone. No lingering data, no cleanup, no trail. The next run starts from a clean, fresh session.
Go deeper → See the full OpenClaw sandbox or the run OpenClaw safely guide.
What it keeps out of reach.
Your credentials.
Passwords, API keys, and tokens stay off the sandbox. The agent cannot read your keychain, your environment, or your saved logins.
Your cookies.
Logged-in sessions stay on your machine. The agent runs in a fresh container with no access to the sessions you already hold.
Your host machine.
Local files, SSH keys, and your internal network are out of reach. A hijacked agent reaches the disposable session and nothing past it.
Straight
answers.
No tool can promise that an agent will never be tricked. Indirect prompt injection rides in on web pages, documents, and other content the agent reads, so a hijacked agent is always possible. What Legba changes is the blast radius. The agent runs inside a disposable sandbox, isolated from your credentials, cookies, files, and network. If injection happens, the agent reaches only the throwaway session, and that session is destroyed on close. The attempt is contained, not amplified.
