Brave Leo Agent Security Risks

Browser Agents brave.com Humble Providers
AI RISK QUADRANT POSITION DEFENSE CONTROLS (3) ATTACK SURFACE (4.8) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
1.89
Critical
Attack Surface
4.8
Medium
Blast Radius
2.63
Low
Defense Controls
3
Critical
About The Agent

Brave Leo is a browser-integrated AI assistant embedded in the Brave desktop and mobile browser, routing user queries through an anonymized reverse proxy to external model providers. On its default configuration, Leo operates as a conversational assistant that ingests full page DOM content and web search results within the browser sandbox boundary. Agentic browsing, code execution, and persistent memory are opt-in capabilities gated behind feature flags, each expanding the runtime's attack surface and blast radius when enabled by the user.

About the AI Risk Quadrant

Humble Providers agents combine a moderate-to-elevated attack surface with a low blast radius, meaning the exposure pathways exist but the damage ceiling from a successful compromise remains bounded. Brave Leo lands here because the browser sandbox constrains file system, credential, and deployment access while the floor condition elevates the attack surface above the raw per-component arithmetic. Operators inherit manageable blast exposure but face an input ingestion channel that processes untrusted page content with no documented input filtering.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. Brave Leo's primary risks concentrate on unfiltered ingestion of untrusted page content, absent input and output guardrails, and no documented operator-facing monitoring or anomaly detection.

Key Input Risks
Leo ingests full page DOM content including attacker-controlled elements during summarization and agentic browsing with no documented prompt injection detector. Independent research confirmed indirect injection via hidden DOM elements [4], the vendor documents the same attack class against competing browsers [7][8], and browser-level CVEs confirm inherited boundary exposure [1][2][3].
Key Execution Risks
Multi-model reasoning routes to external LLMs with no documented separation between system prompts and ingested page content, and a feature-flagged code execution tool is scoped to chart generation with no published security audit [11][12]. No process-level isolation between Leo and the host browser process is documented.
Key Action Risks
No autonomous actions execute on the default configuration; agentic browsing introduces navigation and form interaction gated by user opt-in, per-action consent, and alignment-model validation [13]. The highest-blast channel is outbound network via the anonymized proxy, with no credential, file write, or deployment access documented [10].
Key Output Risks
Leo renders text responses directly in the browser sidebar without DLP, credential redaction, or URL sanitization between the model and the user-facing display. Research demonstrated that web agents including Leo unintentionally leak session context to external endpoints during multi-turn conversations [9].
Key Monitoring Risks
Audit logging and anomaly detection are entirely absent from Leo conversations; chat history is stored locally under user control with no operator visibility into injection attempts or agentic action sequences [10]. SOC 2 certification covers the Search API only, with no attestation extending to Leo [18].

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Brave Leo lands in the Humble Providers quadrant, anchored by vendor documentation and independent research on the browser-integrated assistant's default security posture.

AIRQ Metrics

The attack surface sits at the upper-moderate band driven by three simultaneous exposure conditions, while the blast radius stays low and defense controls remain near the floor with only action controls documented as a vendor-shipped default.

Each row below ties an axis score to the evidence base behind it, with attack and blast scored out of ten and defense out of fifteen.

Metric Score Comments
AIRQ Score 1.89 Low composite risk reflects the bounded blast radius dampening the elevated attack surface, with minimal defense contribution and damage ceiling constrained by the browser sandbox scope.
Blast Radius 2.63 / 10 Browser sandbox boundary and anonymized proxy architecture constrain damage to local chat data and outbound model queries, with no credential or deployment access documented.
Attack Surface 4.8 / 10 Vendor documentation, independent academic testing [5], and architectural analysis [6] anchor the input and data surfaces, with all three exposure conditions met and elevating the aggregate above raw per-surface arithmetic.
Defense Controls 3 / 15 Action controls for agentic browsing are the sole documented defense layer; input filtering, output sanitization, and security monitoring are absent from the default configuration.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. The dominant exposures are unfiltered page content ingestion and external data processing, with the remaining surfaces bounded by opt-in feature flags and the absence of inter-agent communication.

Attack Surface Metrics

Two surfaces reach the upper band on architectural conditions, while the remaining eight stay at or below the midpoint with no evidence-driven penalties applied.

Each row ties a surface to its adjusted score, the vendor or research evidence anchoring the assessment, and the architectural exposure the score represents.

Surface Score Comments
User Input 3 / 4 Full page DOM ingestion during summarization exposes Leo to indirect prompt injection via attacker-controlled elements; independent research confirmed exfiltration paths [4][13], mirroring cross-agent injection patterns [17].
External Data 3 / 4 Web search results and page content from untrusted external sources enter the model context without content filtering; the SPILLAGE framework confirmed unintentional data leakage across configurations [9][13].
Memory 2 / 4 Optional persistent memory stored locally with manual user writes; off by default, user-controlled, and the vendor advises against storing sensitive data [15].
Reasoning 2 / 4 Multi-model reasoning delegates to interchangeable external LLMs without a documented instruction hierarchy separating system prompts from ingested page content [12][19].
Planning 1 / 4 Default configuration supports single-step task execution with no autonomous goal decomposition; agentic browsing adds multi-step navigation behind an opt-in flag [14].
Tool Execution 1 / 4 Code execution tool limited to chart generation in a sandboxed scope behind a feature flag; web search is the only active default tool [11].
Orchestration 1 / 4 Multi-turn conversation with emerging agentic mode behind an opt-in flag; default configuration operates as a single-turn assistant with no task delegation [13].
Inter-Agent 0 / 4 No inter-agent communication, delegation, or federation documented; Leo operates as a standalone assistant within the browser with no agent-to-agent protocol support [11].
Output Processing 2 / 4 Text output rendered in the browser sidebar with no documented DLP, credential redaction, or exfiltration blocking; the SPILLAGE research confirmed output-path leakage [9][10].
Configuration 2 / 4 Opt-in feature flags control agentic mode, code execution, and memory persistence; configuration changes expand the attack surface but require explicit user action [13].

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Brave Leo ingests untrusted page content into the model context, processes user queries that may contain sensitive data, and transmits content to external model providers via the anonymized reverse proxy on every query.

Lethal Trifecta · Complete (3 of 3)

Brave Leo exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — Leo ingests full page DOM content from any website the user visits during summarization and agentic browsing sessions [4][13].
  • Sensitive data — User queries and page content transmitted to external model providers may contain sensitive data; the reverse proxy strips IP addresses but not content payloads [10].
  • External egress — Every query sends content through the anonymized reverse proxy to model providers and search, with agentic browsing adding autonomous navigation to external sites [10][13].

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. Damage potential remains bounded by the browser sandbox, with network access to model providers as the dominant blast channel and no credential, file system, or deployment access documented.

Blast Radius Metrics

No factors reach the upper band; network access is the highest-scoring factor with the remaining five constrained at or below the lower band.

Each row ties a blast factor to the specific capability evidence, the documented scope boundary, and the operational impact an attacker would achieve.

Factor Score Comments
Code execution 1 / 4 Chart-only generation tool operates behind a feature flag with no arbitrary execution, shell access, or process spawning documented outside the constrained sandbox [11].
File system access 1 / 4 Local chat history and memory preferences are the only documented file system interactions; no arbitrary file read, write, or directory traversal capability exposed [10].
Network access 2 / 4 All inference traffic flows via the anonymized reverse proxy to external model providers; IP addresses are stripped but conversation payloads cross the network boundary [10].
Credential access 1 / 4 No credential passthrough, OAuth token access, or session hijacking documented; premium authentication uses unlinkable tokens with no IP logging [10].
Autonomous action 1 / 4 Agentic browsing adds autonomous navigation requiring user opt-in, per-action consent, and alignment-model validation before execution; the default fires no autonomous actions [13].
Deployment access 0 / 4 No CI/CD integration, deployment pipeline access, or infrastructure modification capability documented; Leo operates within the browser sandbox with no external deployment access [11].

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. Only action controls for agentic browsing ship as a documented default defense; the remaining four control layers are either undocumented or entirely operator-managed.

Defense Controls Metrics

The inverted scale shows stronger vendor safeguards as taller bars; the near-floor total reflects that most defense layers are absent from the default configuration.

Each row scores whether the vendor ships the control by default, documents it as opt-in, or leaves the capability entirely to the operator.

Component Score Comments
Input Guardrails 0 / 3 No documented input classifier, prompt injection detector, or content filtering between untrusted page content and the model context window on the default configuration [13].
Execution Isolation 1 / 3 Agentic browsing runs in an isolated browsing profile with a separate storage partition; code execution tool operates in a sandboxed scope behind a feature flag [11][13].
Action Controls 2 / 3 Agentic browsing requires opt-in activation with consent mechanisms per action and an alignment checker model; double bug bounty rewards incentivize security research [13][16].
Output Guardrails 0 / 3 No documented DLP, credential redaction, or PII filtering on Leo output; research confirmed web agents can unintentionally leak session context [9][10].
Monitoring 0 / 3 Audit logging and anomaly detection are absent from the default runtime; privacy-preserving analytics cover product telemetry but not security event monitoring [10].

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. The highest-leverage changes are deploying input filtering before the model context, enabling output DLP scanning, and forwarding conversation telemetry to centralized security monitoring.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require security review approval before enabling page summarization on high-risk or untrusted domains — counters User Input at the upper band with no input filtering.
  • Configuration Disable page summarization for untrusted domains using browser-level content policies — counters External Data ingestion from attacker-controlled page content.
  • Engineering Wire a prompt injection classifier between page content and the model context window — counters the absent input filtering on User Input and External Data.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Mandate that code execution feature flags remain disabled in managed deployments unless a documented sandbox audit has been completed — counters the feature-flagged execution boundary.
  • Configuration Configure browser-level process isolation to separate Leo inference from host browser memory — counters the shared-process boundary between the assistant and browser-stored data.
  • Engineering Instrument runtime sandboxing to detect code execution attempts outside the documented chart generation scope — counters potential scope expansion of the feature-flagged execution tool.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Establish a review gate requiring security team approval before enabling agentic browsing — counters the autonomous navigation and form interaction capability expanding blast radius.
  • Configuration Configure the alignment checker sensitivity threshold to reject autonomous actions accessing authenticated sessions or sensitive forms — counters agentic browsing on credential-bearing pages.
  • Engineering Deploy an auditing extension that logs all agentic browsing actions with consent receipts — counters the lack of operator visibility into autonomous action sequences.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Mandate DLP scanning on all Leo output before browser rendering — counters absent output filtering that allows unintentional data leakage documented in oversharing research.
  • Configuration Configure output length limits and content type restrictions to prevent large data exfiltration payloads — counters the unrestricted text output channel to the browser sidebar.
  • Engineering Wire PII detection and credential pattern matching into the output pipeline — counters the absence of output guardrails allowing sensitive data patterns in model responses.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Mandate centralized logging of all Leo conversations and agentic actions to an enterprise SIEM — counters the complete absence of operator-facing security monitoring.
  • Configuration Configure alerting rules for prompt injection patterns, unusual query volumes, and agentic browsing on sensitive domains — counters the absent anomaly detection on Leo interactions.
  • Engineering Build a custom telemetry pipeline that captures Leo conversation events and forwards structured security alerts to the enterprise SIEM — counters the absent security event monitoring.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. CVE-2025-48980 Brave Browser Desktop split view did not respect SameSite cookie attribute, enabling cross-site cookie leakage on versions prior to 1.83.10.
  2. CVE-2025-23086 Origin misinference in file selector dialog on Brave Desktop 1.70.x through 1.73.x allowed a malicious site to spoof the trusted origin via an open redirect (CVSS 6.1).
  3. SameSite attribute in split views HackerOne-originated security issue documenting the split view cookie-sharing bug and its fix via proper SameSite handling in the context menu.

Selected Research

  1. Brave Leo security risks and vulnerabilities LayerX Security analysis documenting indirect prompt injection via hidden DOM elements in Brave Leo, rating overall risk at 7.8 out of 10 with 45 percent phishing block rate.
  2. Agentic Browsers and the Same-Origin Policy University of Washington research testing seven agentic browsers including Brave Leo, finding Leo has more limited agentic features but stronger security properties than competitors.
  3. Architectural vulnerabilities in agentic LLM browsers Varonis Threat Labs architectural analysis noting Brave Leo loads its UI natively from browser internal resources, neutralizing remote XSS attack vectors present in other agentic browsers.
  4. Indirect prompt injection in Perplexity Comet Brave Security Team research demonstrating cross-origin data theft via indirect prompt injection in Comet, establishing the class-level risk shared by all AI browser assistants.
  5. Unseeable prompt injections in screenshots Brave research documenting steganographic prompt injection via screenshots across multiple agentic browsers as a systemic challenge facing the entire AI browser category.
  6. Privacy risks of agentic oversharing Brave SPILLAGE framework research demonstrating pervasive unintentional data leakage by web agents across tested configurations including Brave Leo.

Vendor Documentation

  1. Brave Browser Privacy Policy The vendor privacy policy documents Leo data handling including reverse proxy anonymization, no server-side retention, local chat history, and privacy-preserving analytics via STAR and Nebula.
  2. Brave Leo GitHub Wiki The vendor wiki documents Leo features including multi-model support, BYOM, memory system with local storage, Tab Focus, and privacy protections across desktop and mobile platforms.
  3. Brave Leo product page The vendor product page documents available models including Claude, Llama, and Mixtral alongside privacy commitments and deployment across desktop and mobile browsers.
  4. AI browsing in Brave The vendor blog documents agentic browsing security architecture including isolated browsing profile, alignment checker model, browser controls, consent mechanisms, and double bug bounty rewards.
  5. Leo roadmap update The vendor roadmap documents agentic AI guardrails in development including task progress indicators, activity previewer, user intervention controls, and dedicated agent execution environment.
  6. Leo customization and memory features The vendor help center documents Leo memory and customization features including local-only storage, manual user control, and guidance against storing sensitive data like passwords.
  7. Brave HackerOne bug bounty Brave operates an active bug bounty program covering security and privacy issues in current browser releases including Leo, with double rewards for AI browsing issues during early testing.

Other Sources

  1. Prompt injection flaw in Opera Neon Brave disclosed a prompt injection vulnerability in Opera Neon demonstrating cross-origin data theft via hidden HTML instructions, establishing the shared attack pattern for agentic browsers.
  2. SOC 2 Type II for Brave Search API Brave earned SOC 2 Type II attestation for Search API only after a three-month external audit by Prescient Security, confirming the certification scope does not extend to Leo or the browser.
  3. DeepWiki Brave Leo architecture DeepWiki architectural analysis documents Leo system layers including browser integration, context acquisition from pages and tabs, model provider routing, and code execution tool for charts.