Fellou Agent Security Risks

Browser Agents fellou.ai Exposed Giants
AI RISK QUADRANT POSITION DEFENSE CONTROLS (2) ATTACK SURFACE (6) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
4.2
High
Attack Surface
6
High
Blast Radius
6.87
High
Defense Controls
2
Critical
About The Agent

Fellou is a Chromium-derived desktop browser that replaces manual web interaction with an AI-driven automation layer operating across the operator's authenticated sessions. It runs locally as a standalone application with persistent memory and multi-agent orchestration through the open-source Eko framework. The primary risk surface is the auto-ingestion of arbitrary web content into the reasoning loop combined with ComputerUse-level tool authority that runs at full operator privilege without containerization.

About the AI Risk Quadrant

Exposed Giants describes agents whose attack surface extends broadly while default defense controls remain thin relative to the exposure. Fellou lands here because its reasoning loop ingests content from every navigated page and its tool layer executes with operator-level access, yet no input filtering, output guardrails, or monitoring infrastructure ships in the documented default configuration. Operators must layer external controls to close the gap between capability and containment.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. Fellou exposes the operator to unrestricted input ingestion, operator-privilege execution, unmonitored autonomous actions, and no default output filtering across all five defense dimensions.

Key Input Risks
The browser agent auto-ingests page content from any navigated URL, treating attacker-controlled web content as trusted LLM input without sanitization [1]. Independent research confirmed that simply visiting a site injects adversarial instructions into the reasoning context [5].
Key Execution Risks
ComputerUse grants mouse, keyboard, and screenshot access while a Node.js backend executes at operator privilege with no containerized boundary [8]. No documented isolation tier separates tool execution from the host system beyond the Chromium process model [11].
Key Action Risks
Browser automation posts content, fills forms, and uploads files across the operator's authenticated sessions without per-action approval gates on the default configuration [6]. The password manager integration and unlimited monitoring duration extend autonomous reach to financial and communications platforms [13].
Key Output Risks
The agent emits rich HTML extractions, screenshots, and form submissions with no documented DLP or output redaction before content leaves the agent boundary [8]. MCP tools loaded from untrusted SSE endpoints can exfiltrate context through dynamically injected tool responses [9].
Key Monitoring Risks
No audit logging, anomaly detection, or SIEM forwarding is documented for the default configuration [10]. Operators lack visibility into tool invocations and credential access events, leaving no structured trail for post-incident reconstruction [12].

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Fellou presents a moderate-to-high composite risk driven by broad architectural exposure and minimal vendor-provided defense controls on the default configuration.

AIRQ Metrics

The agent's attack surface and blast radius both land above the midpoint while defense controls remain near the floor, placing it in the lower-right quadrant where exposure outpaces containment.

Attack Surface is scored from zero to ten, Blast Radius from zero to ten, and Defense Controls from zero to fifteen; the AIRQ composite reflects the ceiling across all three.

Metric Score Comments
AIRQ Score 4.2 The composite reflects that broad exposure and thin defense concentrate risk for the operator rather than distributing it across mitigations.
Blast Radius 6.87 / 10 Network access at maximum drives the overall score, with code execution and credential access close behind given operator-privilege runtime.
Attack Surface 6 / 10 All ten surfaces reach the architectural-presence band because the browser agent ingests untrusted content, executes tools, and communicates externally by design.
Defense Controls 2 / 15 Only basic browser sandbox isolation and optional action confirmation are documented; input filtering, output controls, and monitoring are absent.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. The reasoning loop ingests content from every navigated page, executes tools with operator-level access, and communicates with external MCP endpoints by default.

Attack Surface Metrics

Higher scores indicate that the surface is architecturally present with a documented interaction pattern that an adversary can reach on the default configuration.

Each row names a surface, its score reflecting architectural presence, and a comment describing the documented interaction pattern with supporting citations.

Surface Score Comments
User Input 3 / 4 Natural-language chat plus auto-loaded page content from navigated URLs create a dual-channel input surface confirmed by independent prompt injection research [1].
External Data 3 / 4 Every web page the agent visits becomes an input source including attacker-planted content on third-party sites processed through the DOM [3].
Memory 3 / 4 Persistent Memory mechanism retains task snapshots and compressed context across sessions, propagating poisoned context to future tasks [7].
Reasoning 3 / 4 The Planner agent delegates reasoning to interchangeable LLMs with no isolation boundary between ingested content and planning prompts [7].
Planning 3 / 4 Autonomous XML workflow generation decomposes tasks across multiple agents without human checkpoint or intermediate validation [4].
Tool Execution 3 / 4 The ComputerUse tool provides direct mouse, keyboard, and screenshot control while browser tools execute page interactions at operator privilege [8].
Orchestration 3 / 4 Multi-agent orchestration runs Loop and Listener tasks in a backend workspace with unlimited monitoring duration and no documented scope restriction [7].
Inter-Agent 3 / 4 MCP tools load dynamically from any SSE endpoint at runtime without code signing or integrity verification of the tool definitions [9].
Output Processing 3 / 4 Browser agent outputs include rich HTML extraction and screenshots with no documented content filtering before external delivery [8].
Configuration 3 / 4 MCP servers and custom agents load from community sources without integrity verification, permitting runtime capability expansion [9].

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Fellou ingests attacker-controlled page content into its reasoning loop, accesses the operator's authenticated sessions across platforms, and transmits content outbound through unrestricted browser navigation.

Lethal Trifecta · Complete (3 of 3)

Fellou exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — Navigating to any URL auto-ingests visible page content as trusted input to the LLM reasoning context without filtering [1].
  • Sensitive data — The agent accesses logged-in accounts across email, banking, and enterprise platforms through the operator's browser session cookies [6].
  • External egress — Browser automation navigates any URL and can post content, fill forms, and upload files to arbitrary external endpoints [6].

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. Compromise of the agent's reasoning loop reaches the operator's local system, stored credentials, and unrestricted network access through the browser automation layer.

Blast Radius Metrics

Higher blast scores indicate that the agent's default capabilities grant deeper reach into the operator's environment upon successful exploitation.

Each row maps a blast factor to its score and the evidence confirming the agent's documented capability to affect that resource class.

Factor Score Comments
Code execution 3 / 4 ComputerUse and the Code Agent execute at operator-level privilege on the host system through the Node.js backend environment [8].
File system access 3 / 4 The Node.js environment has full system access and Computer Use manages local files and applications without documented path restrictions [8].
Network access 4 / 4 Browser automation navigates any URL with unrestricted outbound connectivity and no documented SSRF protection or egress filtering [8].
Credential access 3 / 4 The agent accesses logged-in accounts across platforms and the password manager integration places stored credentials within tool reach [13].
Autonomous action 2 / 4 Monitoring tasks run with unlimited step length for messaging and email and webpage changes after initial operator setup [13].
Deployment access 1 / 4 No dedicated deployment tools ship with the agent; browser automation can interact with deploy UIs but no direct infrastructure access is documented [6].

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. The vendor documents browser sandbox isolation and optional action confirmation but publishes no input filtering, output controls, or monitoring infrastructure for the default configuration.

Defense Controls Metrics

Higher defense scores indicate stronger vendor-provided safeguards that reduce residual risk without operator intervention.

Each component is scored based on what ships by default rather than what an operator could configure or build externally.

Component Score Comments
Input Guardrails 0 / 3 No prompt-injection detection, content validation, or input filtering is documented for the default configuration [6].
Execution Isolation 1 / 3 The Eko environment-aware architecture documents capability isolation and cross-origin restrictions within the web sandbox but no containerization beyond the Chromium process model [11].
Action Controls 1 / 3 Human-in-the-loop confirmation is available for sensitive actions but default monitoring tasks run autonomously with unlimited step length [6].
Output Guardrails 0 / 3 No DLP, output redaction, or content inspection is documented for outbound communications on the default configuration [10].
Monitoring 0 / 3 No audit logging or anomaly detection infrastructure is documented; the privacy policy references security measures without naming operator-facing observability [10].

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators should prioritize breaking the full-chain exfiltration path by adding input filtering, restricting outbound egress, and enabling per-action approval gates.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require security review of all MCP server endpoints before adding them to the agent's allowed tool registry — counters untrusted tool injection from arbitrary SSE sources [9].
  • Configuration Configure URL allowlists restricting which domains the agent can navigate to, limiting the auto-ingestion surface to known-safe sites — counters unrestricted page content ingestion [14].
  • Engineering Deploy a content-security proxy that strips injected instructions from page content before it reaches the LLM context — counters the prompt injection vector via navigation [1].

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Require that the Eko backend process runs under a dedicated service account with no access to the operator's credential stores — counters operator-privilege escalation through ComputerUse [8].
  • Configuration Configure OS-level sandboxing to restrict Node.js backend filesystem and network namespace access — counters unrestricted host access from tool execution [12].
  • Engineering Wrap ComputerUse invocations in a container runtime with restricted capabilities and read-only filesystem mounts — counters full system access from the automation layer [8].

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Require per-action operator confirmation for all external communications including form submissions and file uploads — counters unattended autonomous action execution [13].
  • Configuration Configure maximum step limits on monitoring tasks and require re-authentication for long-running background operations — counters unlimited autonomous monitoring duration [13].
  • Engineering Implement action-type allowlists restricting which browser interaction categories the agent can perform without explicit approval — counters broad tool execution authority [2].

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Require that all agent-generated outbound content pass through an approved DLP inspection point before external transmission — counters absence of output filtering [10].
  • Configuration Configure content-type restrictions preventing file uploads and form submissions to domains outside an approved list — counters unrestricted data exfiltration [6].
  • Engineering Deploy an egress proxy inspecting outbound payloads for sensitive data patterns including credentials and PII — counters the unfiltered output channel [5].

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Require centralized logging of every tool invocation, URL navigation, and credential access event with tamper-evident storage — counters the absence of audit infrastructure [10].
  • Configuration Configure alerting on anomalous patterns such as bulk data extraction or navigation to known-malicious domains — counters undetected exfiltration [14].
  • Engineering Implement session recording for all agent interactions to enable forensic reconstruction of incidents — counters the inability to trace agent actions after a breach [12].

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. Prompt injection via website navigation in Fellou Brave Security demonstrated that navigating to an attacker-controlled website causes Fellou to send page content to the LLM as trusted input, enabling prompt injection without explicit summarization.
  2. Fellou API security case study Independent researcher demonstrated IDOR in tabId and tabIds parameters allowing cross-user session data access and context poisoning of the LLM with no SSL pinning and no rate limiting.

Selected Research

  1. BrowseSafe: Prompt Injection Within AI Browser Agents Benchmark of prompt injection attacks embedded in realistic HTML payloads with a defense strategy combining input filtering and execution isolation for browser agents.
  2. MUZZLE: Automated Red-Teaming for Web Agent Prompt Injection Automated framework that discovered 37 distinct indirect prompt injection attacks against web agents including novel cross-application attack classes.
  3. Web-Based Indirect Prompt Injection Observed in the Wild Palo Alto Unit 42 documented 22 distinct attacker techniques for web-based indirect prompt injection with evidence of active weaponization in real telemetry.

Vendor Documentation

  1. Fellou product page Official product page documenting Agentic Memory and Deep Action and Computer Use and dynamic multitasking and CAPTCHA solving capabilities on the default configuration.
  2. Eko architecture overview Vendor architecture documentation describing Planner and Agents and Tools and MCP integration and Memory mechanism and dual-layer execution model.
  3. Eko available tools Vendor documentation listing ComputerUse tool with mouse and keyboard and screenshot capabilities plus browser automation tools across environments.
  4. Eko MCP tools integration Vendor documentation for native MCP support via SimpleSseMcpClient allowing dynamic tool expansion from any SSE endpoint at runtime.
  5. Fellou privacy policy ASI X Inc privacy policy describing data collection including prompts and log information with commercially reasonable security measures stated.
  6. Eko environment-aware architecture Vendor documentation describing capability isolation and cross-origin restrictions and tool input sanitization within the web browser sandbox environment.

Other Sources

  1. FellouAI/eko GitHub repository Open-source Eko framework repository with no SECURITY.md policy and no published security advisories and a security warning about API key exposure in frontend code.
  2. Fellou 2.0 launch announcement Vendor blog announcing extended context management and unlimited monitoring step length and password manager addition for the agentic browser platform.
  3. AI threats in the wild: prompt injections on the web Google Threat Intelligence documented a 32 percent increase in malicious indirect prompt injection detections between November 2025 and February 2026 on the public web.