Privacy Policy

Last updated: July 2026

TLDR: FSB operates entirely within your browser. No browsing data is collected by FSB servers, and AI calls go directly from your browser to the provider you choose. API keys are encrypted locally with AES-GCM, and memory data stays on your device. The only data that ever leaves your machine for FSB is opt-out anonymous usage telemetry that powers the public /stats page. If you pair Remote Dashboard, transient live-preview frames can pass through the relay during the session, but they are not stored. Everything is open source and auditable.

Data Collection

FSB operates entirely within your browser. When you initiate an automation task, the extension may inspect the active tab's DOM (Document Object Model) and, when you invoke a capability, make same-origin site API requests from your browser session.

  • No browsing history is collected or stored beyond the current session
  • DOM data and site API results are analyzed locally and discarded after each automation step unless you explicitly save them in memory
  • No personal information is harvested from pages you visit

Site API capabilities

FSB's capability layer can call a site's own first-party API from the page context, using your already-authenticated browser session. These requests run locally in Chrome; first-party cookies or site auth may be attached by the browser for that target site, but FSB does not return, store, log, or send cookies, tokens, CSRF values, request bodies, or response bodies to FSB servers.

Capability invocations follow FSB's consent controls and are recorded only in the redacted local audit log: origin, capability slug, method, side-effect class, consent decision, and outcome. The audit log never stores invocation arguments, request bodies, response bodies, cookies, tokens, CSRF values, or site response payloads.

Chrome permissions FSB requests

To run web automation, FSB declares the following permissions in its Chrome manifest. Each is used only for the documented purpose; nothing is sent off-device on the strength of any of them.

  • DOM and tabs, activeTab, scripting, tabs, windows, sidePanel, and host permission <all_urls>: read and write the active tab, inject the automation content script, list and switch tabs, and render the side panel
  • Advanced automation, debugger: attach the Chrome DevTools Protocol for coordinate-based clicks, drag, and key-hold actions that the regular DOM API cannot perform. webNavigation: observe navigation start/finish events so automation waits for the right moment
  • Local storage, storage, unlimitedStorage: store your settings, credentials, payment methods, and memory in chrome.storage.local on your device. Unlimited storage lifts the default 10 MB quota so memory and session logs can grow without hitting a wall
  • UX helpers, clipboardWrite: write copy-to-clipboard results from automation. alarms: schedule background housekeeping. offscreen: host the speech-to-text recorder in a hidden document because service workers cannot capture audio directly

Microphone access for speech-to-text is not declared in the manifest. Chrome shows its own permission prompt the first time you use the mic button.

Data Storage

All settings and data are stored locally in Chrome's extension storage. FSB uses AES-GCM encryption for sensitive data like API keys.

  • Configuration is stored in chrome.storage.local
  • API keys are encrypted before storage using AES-GCM
  • Session logs are stored locally and can be cleared at any time
  • Analytics data (task counts, success rates) stays on your device

External Services

FSB communicates with external AI providers only when you configure and use a hosted provider. If you use LM Studio, AI requests stay on your machine through its local OpenAI-compatible server. The choice of provider and what data is sent is under your control.

  • Hosted API calls are made only to the provider you select (xAI, OpenAI, Anthropic, Google, or OpenRouter)
  • LM Studio uses a local OpenAI-compatible server on your device and does not require an API key
  • Sent data includes: task description, DOM structure summary, and action context
  • If you pair Remote Dashboard or use legacy Background Agents sync, an optional relay server handles WebSocket messages for that session. Live-preview frames may pass through the relay transiently, but page content, DOM data, screenshots, AI prompts, AI responses, cookies, tokens, and site API payloads are not persisted on the server. This is opt-in only
  • Each provider has their own privacy policy governing how they handle API requests

Remote Dashboard and PhantomStream Live Preview

When you pair Remote Dashboard, FSB can show a live preview of the active browser tab using PhantomStream. The preview streams structured DOM data instead of pixels: an initial snapshot, MutationObserver diffs, scroll position, automation overlays, dialog state, media playback state, and remote-control messages over WebSocket.

  • The relay forwards those live-preview frames only to the paired dashboard session. FSB servers do not persist page DOM, page content, screenshots, AI prompts, AI responses, cookies, tokens, or site API payloads from the preview stream
  • FSB enables PhantomStream input masking (maskInputs: true), so passwords and form-control values are masked before they leave the captured page
  • The dashboard viewer renders mirrored content in a scriptless sandbox and sanitizes mirrored DOM and CSS before display
  • Images, video, and audio are mirrored by reference in current dashboard mode. Media bytes do not cross the relay; the viewer may fetch allowed public HTTPS asset or media URLs directly, while private, internal, non-HTTPS, or otherwise blocked origins are replaced with placeholders by PhantomStream's fail-closed fetch policy

No Third-Party Tracking

FSB does not include any third-party analytics, ad trackers, or cross-site fingerprinting. There are no cookies and no third-party scripts beyond the AI provider APIs you explicitly configure. The one piece of first-party data FSB sends home is the opt-out Anonymous Usage Telemetry described below, used solely to power the public /stats dashboard.

API Keys

Your API keys are encrypted locally using AES-GCM before being stored. They are never transmitted anywhere except to the AI provider you configured, and only as authentication headers in API requests.

  • Keys are encrypted at rest in Chrome storage
  • Decryption only happens in-memory when making API calls
  • Keys are never logged, exported, or shared

Auto-Passwords

FSB includes an optional credential manager that stores login credentials encrypted on your device. Passwords are never exposed to AI models. They are filled directly into pages by the content script, bypassing the AI entirely.

  • Credentials are encrypted at rest using AES-GCM with 256-bit keys and PBKDF2 key derivation
  • When the AI analyzes a page, password field values are replaced with [hidden]. The actual password is never included in any AI prompt
  • Auto-fill is performed by the content script injecting values directly into the DOM, with no AI involvement in the credential flow
  • The credential list view only shows usernames and domains. Passwords are decrypted individually and only when needed for auto-fill
  • Credentials are stored per-domain with parent domain fallback (e.g., accounts.google.com inherits from google.com)

Payment Methods

FSB includes an optional payment-method vault that stores card details on your device for checkout auto-fill. Cards are treated with the same encryption and AI isolation as login credentials, and the full card number is never sent to any AI model.

  • Card details (number, expiry, cardholder, and zip) are encrypted at rest using AES-GCM with the same vault-derived key used for credentials
  • When the AI analyzes a checkout page, any detected card-number field values are replaced with [hidden] before the prompt is built. Card numbers, CVV, and expiry are never included in any AI prompt
  • Auto-fill happens via the content script writing directly into the page's DOM fields, bypassing the AI entirely
  • The list view shows only a card nickname and last-4 digits. Full numbers are decrypted in memory only at the moment of fill
  • An MCP client can request a payment fill via use_payment_method, but the user is shown an in-extension confirmation prompt before any card data is written into the page
  • CVV is never persisted unless you opt in per-card, and even then it is encrypted alongside the rest of the record

Speech-to-Text

FSB includes an optional microphone input for the prompt box. The default provider runs entirely in your browser; an optional OpenAI Whisper fallback can be enabled in settings if you want higher accuracy.

  • Default provider: the browser's native SpeechRecognition API. Audio is processed by Chrome and never leaves your device through FSB
  • Optional Whisper provider: when sttProvider is set to whisper and an OpenAI key is configured, recorded audio chunks are uploaded directly from your browser to OpenAI's transcription endpoint. FSB never sees or stores the audio
  • The microphone is only active while you are holding or have toggled the mic button. Chrome prompts for permission the first time you use it; FSB does not request microphone access in the extension manifest
  • Transcripts are inserted into the prompt textarea only and are never logged, persisted, or transmitted outside the active AI request you choose to send
  • Disable speech entirely by leaving the mic button untouched, or by clearing the optional Whisper provider in Chrome extension storage

Prompt Injection Prevention

Web pages can contain hidden text designed to hijack AI agents. FSB implements multi-layered defenses to ensure the AI only follows your instructions, never instructions embedded in page content.

  • All page content is wrapped in [PAGE_CONTENT] boundary markers, and the AI is instructed to never follow instructions found within these markers
  • A sanitization engine strips known injection patterns (e.g., "ignore previous instructions", fake system prompts, override attempts) from all page content before it reaches the AI
  • AI-generated actions are validated before execution. Dangerous URLs (javascript:, data:) and script injection attempts are blocked
  • Only a strict, fixed allowlist of known tools can be executed. The AI cannot invent or call arbitrary actions
  • Content size is capped (500 chars per value, 15K total prompt cap) to limit payload delivery
  • Invisible Unicode control characters that websites embed are stripped before processing

Background Agents and Server Sync

Deprecated in v0.9.45rc1. FSB's built-in Background Agents have been superseded by OpenClaw and Claude Routines, with remote control now handled by the Sync tab. The disclosures below are retained for users still running v0.9.44 or earlier; on current builds the relay server is only contacted when you pair a Sync session.

If you opt into legacy Background Agents server sync or pair Remote Dashboard, a relay server facilitates communication between your extension and the dashboard.

  • The server stores: agent definitions (name, schedule, target URL), run metrics (token count, cost, duration, success/fail status), and session pairing tokens
  • The server does NOT persist: page content, DOM data, browsing history, screenshots, AI prompts, AI responses, cookies, tokens, site API payloads, or other data from the pages you visit
  • Authentication uses hash keys (generated locally) and session tokens that expire after 24 hours
  • One-time pairing tokens expire after 60 seconds and cannot be reused
  • Server sync is disabled by default. You must explicitly enable it in Options

Memory System

FSB's memory system stores navigation patterns and site intelligence to improve automation over time.

  • All memory data (semantic, episodic, procedural) is stored locally in chrome.storage.local
  • No memory data is sent to any external server
  • Memory can be viewed and cleared at any time from the Options dashboard
  • Site maps and navigation patterns are domain-specific and isolated from each other

Anonymous Usage Telemetry

FSB v0.9.69 introduced an opt-out anonymous usage telemetry pipeline so the project can publish aggregate adoption numbers (see /stats) without ever touching the pages you browse. The only location signal is a coarse country/state label the server derives from your request IP at ingest (never from page content), kept only in aggregate — see Region (state-level) metric below. Telemetry is on by default but can be disabled with a single toggle, and the per-install data can be erased on request.

What we collect

  • A random per-install UUID stored in chrome.storage.local under the key fsbInstallUuid. The UUID is generated locally and never tied to your identity.
  • The name of the MCP client used (e.g. Claude Code, Cursor, Codex), drawn from a fixed allowlist.
  • The model name used for a session (e.g. grok-4-fast, claude-opus-4), drawn from a fixed allowlist.
  • Aggregate input/output token counts per session.
  • The number of active FSB agents on your install (an integer count).

What we do NOT collect

  • Page URLs, hostnames, or browsing history.
  • Prompts, instructions, task descriptions, or any natural-language text you send to your model provider.
  • Page DOM, screenshots, page content, site API payloads, or AI responses.
  • Plaintext IP addresses. The server uses the request IP transiently and inline for exactly two purposes — a daily-rotating-salt hash for rate limiting, and deriving a coarse country/state label (see below) — then discards it immediately. The plaintext IP is never stored or logged.
  • Names, usernames, account handles, or any free-form identity fields.
  • Email addresses, phone numbers, or contact information.

Region (state-level) metric

  • The server derives a coarse country and US-state (subdivision) label from your request IP at ingest, using a self-hosted DB-IPIP-to-City Lite dataset and our own lookup — not a live third-party geolocation service, and never MaxMind. The plaintext IP is consumed inline and discarded; only the derived label is kept.
  • Region is stored only in the daily aggregate, behind a k≥5 anonymity floor: any state with fewer than 5 distinct installs on a given day collapses into a single “Other” bucket (suppressed entirely when even that combined count is below 5). No individual state label ever represents fewer than 5 installs.
  • There is no per-install location profile. The coarse label lives only on the short-lived raw event (dropped by the 7-day retention) and in the k≥5-floored daily rollup; we never build or retain a durable mapping from your install to a place. Geolocation data is by DB-IP (https://db-ip.com).

Retention

Raw events are retained for 7 days. Daily rollups (one row per install per day) are retained for 365 days. Global aggregates (one row per day, no per-install dimension) are retained indefinitely so historical charts on /stats remain stable.

How to opt out

Open the FSB Control Panel, scroll to Advanced Settings, and toggle Send anonymous usage data off. The change takes effect immediately; no further events will be sent from your install.

How to erase your data

To request erasure of all telemetry rows associated with your install (GDPR Article 17), look up your fsbInstallUuid in Chrome DevTools → Application → Storage → Extension storage, then send a single HTTP request:

curl -X POST -H "Content-Type: application/json" \
  -d '{"install_uuid":"<your-uuid>"}' \
  https://full-selfbrowsing.com/api/telemetry/forget

Limited Use affirmation

FSB's anonymous usage telemetry is used only to compute aggregate usage statistics displayed publicly at full-selfbrowsing.com/stats. The data is never sold, never shared with third parties, never used for advertising, and never used to train any machine-learning models. This commitment satisfies the Chrome Web Store's Limited Use requirement.

Aggregated public metrics

We publish aggregated metrics derived from this telemetry pipeline at /stats. Only counts and totals are shown; no per-install row is ever exposed.

FSB's automation posture is opt-out: non-denylisted origins inherit a user-configurable global default that currently ships as Auto, while explicit per-origin policies can set an origin to Off, Ask, or Auto. Audit-log retention is local and bounded, with export and clear controls available from the Control Panel.

  • The service denylist is still a hard block. Denied origins are non-enableable regardless of the global default or any stored per-origin policy.
  • Sensitive origins can run reads under Auto, but writes re-enforce the per-origin mutating opt-in before execution. Non-sensitive origins can be opted out or moved to Ask from the Control Panel's Consent & Audit section.
  • Every capability call is recorded in a redacted, append-only local audit log. No arguments, tokens, cookies, or response bodies are ever stored.

Open Source

FSB is fully open source under the BSL 1.1 License. You can audit every line of code to verify these privacy claims. The source code is available on GitHub.

Changes to This Policy

If this policy is updated, the changes will be reflected by the "Last updated" date at the top of this page. Significant changes will also be noted in the project's GitHub release notes.

Contact

If you have questions about this privacy policy or FSB's data handling, please open an issue on GitHub Issues.

Policy History

Each entry below is a complete snapshot of the privacy policy as it stood on the date shown. Older versions are kept so you can audit what we promised at any point in time.

March 2026v9.0.2 — Background Agents, Memory System, Server Sync, Anonymous Usage Telemetry, Legal Posture (full archived text)

Archived copy of the privacy policy as it stood in March 2026, before the May 2026 update. This snapshot preserves the then-current policy body, including later telemetry and legal-posture additions that were present on the Angular page before this archive pass.

TLDR FSB operates entirely within your browser. No browsing data is collected. API keys are encrypted locally with AES-GCM. AI calls go directly from your browser to the provider you choose. The optional relay server for Background Agents stores only run metadata, never page content. Memory data stays on your device. Everything is open source and auditable.

Data Collection

FSB operates entirely within your browser. The extension only accesses the DOM (Document Object Model) of the currently active tab when you initiate an automation task.

  • No browsing history is collected or stored beyond the current session
  • DOM data is analyzed locally and discarded after each automation step
  • No personal information is harvested from pages you visit

Data Storage

All settings and data are stored locally in Chrome's extension storage. FSB uses AES-GCM encryption for sensitive data like API keys.

  • Configuration is stored in chrome.storage.local
  • API keys are encrypted before storage using AES-GCM
  • Session logs are stored locally and can be cleared at any time
  • Analytics data (task counts, success rates) stays on your device

External Services

FSB communicates with external AI providers only when you configure and use a hosted provider. If you use LM Studio, AI requests stay on your machine through its local OpenAI-compatible server. The choice of provider and what data is sent is under your control.

  • Hosted API calls are made only to the provider you select (xAI, OpenAI, Anthropic, Google, or OpenRouter)
  • LM Studio uses a local OpenAI-compatible server on your device and does not require an API key
  • Sent data includes: task description, DOM structure summary, and action context
  • If you use the Remote Dashboard or Background Agents sync, an optional relay server handles WebSocket messages and stores agent run metadata (task name, cost, duration, success/fail). No page content, DOM data, or AI responses are stored on the server. This is opt-in only
  • Each provider has their own privacy policy governing how they handle API requests

No Tracking

FSB does not include any analytics, telemetry, or tracking services. There are no cookies, no fingerprinting, and no third-party scripts beyond the AI provider APIs you explicitly configure.

API Keys

Your API keys are encrypted locally using AES-GCM before being stored. They are never transmitted anywhere except to the AI provider you configured, and only as authentication headers in API requests.

  • Keys are encrypted at rest in Chrome storage
  • Decryption only happens in-memory when making API calls
  • Keys are never logged, exported, or shared

Auto-Passwords

FSB includes an optional credential manager that stores login credentials encrypted on your device. Passwords are never exposed to AI models. They are filled directly into pages by the content script, bypassing the AI entirely.

  • Credentials are encrypted at rest using AES-GCM with 256-bit keys and PBKDF2 key derivation
  • When the AI analyzes a page, password field values are replaced with [hidden]. The actual password is never included in any AI prompt
  • Auto-fill is performed by the content script injecting values directly into the DOM, with no AI involvement in the credential flow
  • The credential list view only shows usernames and domains. Passwords are decrypted individually and only when needed for auto-fill
  • Credentials are stored per-domain with parent domain fallback (e.g., accounts.google.com inherits from google.com)

Prompt Injection Prevention

Web pages can contain hidden text designed to hijack AI agents. FSB implements multi-layered defenses to ensure the AI only follows your instructions, never instructions embedded in page content.

  • All page content is wrapped in [PAGE_CONTENT] boundary markers, and the AI is instructed to never follow instructions found within these markers
  • A sanitization engine strips known injection patterns (e.g., "ignore previous instructions", fake system prompts, override attempts) from all page content before it reaches the AI
  • AI-generated actions are validated before execution. Dangerous URLs (javascript:, data:) and script injection attempts are blocked
  • Only a strict allowlist of 50+ known tools can be executed. The AI cannot invent or call arbitrary actions
  • Content size is capped (500 chars per value, 15K total prompt cap) to limit payload delivery
  • Invisible Unicode control characters that websites embed are stripped before processing

Background Agents and Server Sync

If you opt into Background Agents server sync or Remote Dashboard pairing, a relay server facilitates communication between your extension and the dashboard.

  • The server stores: agent definitions (name, schedule, target URL), run metrics (token count, cost, duration, success/fail status), and session pairing tokens
  • The server does NOT store: page content, DOM data, browsing history, AI prompts, AI responses, or any data from the pages you visit
  • Authentication uses hash keys (generated locally) and session tokens that expire after 24 hours
  • One-time pairing tokens expire after 60 seconds and cannot be reused
  • Server sync is disabled by default. You must explicitly enable it in Options

Memory System

FSB's memory system stores navigation patterns and site intelligence to improve automation over time.

  • All memory data (semantic, episodic, procedural) is stored locally in chrome.storage.local
  • No memory data is sent to any external server
  • Memory can be viewed and cleared at any time from the Options dashboard
  • Site maps and navigation patterns are domain-specific and isolated from each other

Anonymous Usage Telemetry

FSB v0.9.69 introduced an opt-out anonymous usage telemetry pipeline so the project can publish aggregate adoption numbers (see /stats) without ever touching the pages you browse. Telemetry is on by default but can be disabled with a single toggle, and the per-install data can be erased on request.

What we collect

  • A random per-install UUID stored in chrome.storage.local under the key fsbInstallUuid. The UUID is generated locally and never tied to your identity.
  • The name of the MCP client used (e.g. Claude Code, Cursor, Codex), drawn from a fixed allowlist.
  • The model name used for a session (e.g. grok-4-fast, claude-opus-4), drawn from a fixed allowlist.
  • Aggregate input/output token counts per session.
  • The number of active FSB agents on your install (an integer count).

What we do NOT collect

  • Page URLs, hostnames, or browsing history.
  • Prompts, instructions, task descriptions, or any natural-language text you send to your model provider.
  • Page DOM, screenshots, page content, or AI responses.
  • Plaintext IP addresses. The server hashes the request IP with a daily-rotating salt for rate limiting and discards it.
  • Names, usernames, account handles, or any free-form identity fields.
  • Email addresses, phone numbers, or contact information.

Retention

Raw events are retained for 7 days. Daily rollups (one row per install per day) are retained for 365 days. Global aggregates (one row per day, no per-install dimension) are retained indefinitely so historical charts on /stats remain stable.

How to opt out

Open the FSB Control Panel, scroll to Advanced Settings, and toggle Send anonymous usage data off. The change takes effect immediately; no further events will be sent from your install.

How to erase your data

To request erasure of all telemetry rows associated with your install (GDPR Article 17), look up your fsbInstallUuid in Chrome DevTools → Application → Storage → Extension storage, then send a single HTTP request:

curl -X POST -H "Content-Type: application/json" \
  -d '{"install_uuid":"<your-uuid>"}' \
  https://full-selfbrowsing.com/api/telemetry/forget

Limited Use affirmation

FSB's anonymous usage telemetry is used only to compute aggregate usage statistics displayed publicly at full-selfbrowsing.com/stats. The data is never sold, never shared with third parties, never used for advertising, and never used to train any machine-learning models. This commitment satisfies the Chrome Web Store's Limited Use requirement.

Aggregated public metrics

We publish aggregated metrics derived from this telemetry pipeline at /stats. Only counts and totals are shown; no per-install row is ever exposed.

Legal Posture and Consent Model

FSB's automation posture, audit-log retention, and per-origin consent model were presented as explicit product controls. FSB does nothing on an origin until you explicitly allow it, automated read access never implies write access, and a conservative service denylist blocks automation on sensitive categories (financial and government services) outright.

  • Per-origin consent is default-off. Auto and write (mutating) access are separate, explicit opt-ins managed from the Control Panel's Consent & Audit section.
  • Every capability call is recorded in a redacted, append-only local audit log. No arguments, tokens, cookies, or response bodies are ever stored.
  • A service denylist renders sensitive origins non-enableable, enforced at the capability gate and not merely in the interface.

Open Source

FSB is fully open source under the BSL 1.1 License. You can audit every line of code to verify these privacy claims. The source code is available on GitHub.

Changes to This Policy

If this policy is updated, the changes will be reflected by the "Last updated" date at the top of this page. Significant changes will also be noted in the project's GitHub release notes.

Contact

If you have questions about this privacy policy or FSB's data handling, please open an issue on GitHub Issues.

February 2026v0.9 — Initial privacy policy (full archived text)

Archived copy of the initial privacy policy as it stood in February 2026. This snapshot is reproduced from the original static showcase page, with the page chrome removed and the policy content preserved.

Data Collection

FSB operates entirely within your browser. The extension only accesses the DOM (Document Object Model) of the currently active tab when you initiate an automation task.

  • No browsing history is collected or stored beyond the current session
  • DOM data is analyzed locally and discarded after each automation step
  • No personal information is harvested from pages you visit

Data Storage

All settings and data are stored locally in Chrome's extension storage. FSB uses AES-GCM encryption for sensitive data like API keys.

  • Configuration is stored in chrome.storage.local
  • API keys are encrypted before storage using AES-GCM
  • Session logs are stored locally and can be cleared at any time
  • Analytics data (task counts, success rates) stays on your device

External Services

FSB communicates with external AI providers only when you configure and use them. The choice of provider and what data is sent is under your control.

  • API calls are made only to the provider you select (xAI, OpenAI, Anthropic, or Google)
  • Sent data includes: task description, DOM structure summary, and action context
  • No data is sent to FSB servers -- there are none
  • Each provider has their own privacy policy governing how they handle API requests

No Tracking

FSB does not include any analytics, telemetry, or tracking services. There are no cookies, no fingerprinting, and no third-party scripts beyond the AI provider APIs you explicitly configure.

API Keys

Your API keys are encrypted locally using AES-GCM before being stored. They are never transmitted anywhere except to the AI provider you configured, and only as authentication headers in API requests.

  • Keys are encrypted at rest in Chrome storage
  • Decryption only happens in-memory when making API calls
  • Keys are never logged, exported, or shared

Auto-Passwords Beta

FSB includes an optional credential manager that stores login credentials encrypted on your device. Passwords are never exposed to AI models -- they are filled directly into pages by the content script, bypassing the AI entirely.

  • Credentials are encrypted at rest using AES-GCM with 256-bit keys and PBKDF2 key derivation
  • When the AI analyzes a page, password field values are replaced with [hidden] -- the actual password is never included in any AI prompt
  • Auto-fill is performed by the content script injecting values directly into the DOM, with no AI involvement in the credential flow
  • The credential list view only shows usernames and domains -- passwords are decrypted individually and only when needed for auto-fill
  • Credentials are stored per-domain with parent domain fallback (e.g., accounts.google.com inherits from google.com)

Prompt Injection Prevention

Web pages can contain hidden text designed to hijack AI agents. FSB implements multi-layered defenses to ensure the AI only follows your instructions, never instructions embedded in page content.

  • All page content is wrapped in [PAGE_CONTENT] boundary markers, and the AI is instructed to never follow instructions found within these markers
  • A sanitization engine strips known injection patterns (e.g., "ignore previous instructions", fake system prompts, override attempts) from all page content before it reaches the AI
  • AI-generated actions are validated before execution -- dangerous URLs (javascript:, data:) and script injection attempts are blocked
  • Only a strict allowlist of 30+ known tools can be executed -- the AI cannot invent or call arbitrary actions
  • Content size is capped (500 chars per value, 15K total prompt cap) to limit payload delivery
  • Invisible Unicode control characters that websites embed are stripped before processing

Open Source

FSB is fully open source under the MIT License. You can audit every line of code to verify these privacy claims. The source code is available on GitHub.

View the source code on GitHub

Summary

FSB processes data locally, encrypts sensitive information, never exposes passwords to AI models, defends against prompt injection attacks, communicates only with AI providers you choose, includes no tracking, and is fully auditable as open source software.