AgentLeash

A browser extension that sits between you and every AI agent acting in your browser — Atlas, Comet, Claude Computer Use, Operator — enforcing spend caps, site allowlists, and a tamper-evident action log before the agent commits anything irreversible.

Problem

Consumer-grade AI browser agents now ship with one-click "Agent Mode" that can shop, book, fill forms, and send email on your behalf — but they have no shared control plane, no spending limit, no per-site permissions, and no audit trail you can show your bank or your spouse. The Amazon vs. Perplexity injunction in March 2026 made the gap painfully concrete: a user can grant an agent permission, but the underlying platform can still block it, leaving the user with a frozen workflow, a half-completed purchase, or a flagged account. Enterprises are racing to bolt budget and policy guardrails onto their agents; individuals have nothing.

Target user

People in their late 20s through 50s who already use Atlas / Comet / Claude / Operator daily for shopping, travel, and household admin, and who have either felt a "wait, did it just do that?" moment or already had an agent rejected, rate-limited, or shadowbanned. Job-to-be-done: "let my agent do the boring stuff, but never let it spend my money, send mail as me, or touch my bank without me clicking yes."

MVP scope

• Chrome/Edge extension that injects a thin overlay into every tab and watches for known agent-driven activity — programmatic clicks, headless input events, the User-Agent and CDP signatures used by Atlas Agent Mode, Comet, and Operator — without depending on any vendor SDK.
• A stop-the-world toolbar button: one click freezes the active tab's input events and surfaces an "agent paused" banner across every running agent context.
• Site policy rules — per-domain allow / confirm / block. Defaults block your bank, Gmail send, Amazon checkout, brokerage, healthcare portals. Editable in a dashboard.
• Spend tripwire: any form submission on a page where a $ total above a user-set threshold appears in the DOM gets a "you're about to authorize $X" confirm modal, regardless of which agent is driving.
• Action ledger: local-first, append-only log of every agent-driven click, form submit, navigation, and download, with a thumbnail of the page at the moment of action. Exportable as a signed PDF for disputes.
• Prompt-injection sniffer: scans visible + hidden text on the page for the published OpenAI/Anthropic injection-string patterns and warns the user before letting an agent continue.

Monetization

Freemium browser extension.

• Free: stop-the-world button, default block list, last 50 actions in the ledger, single device.
• Pro ($4/mo or $36/yr): unlimited ledger, multi-device sync, custom site policies, signed PDF export, family plan, weekly "what your agents did this week" digest.
• Teams ($9/seat/mo): shared site policies, admin can require confirm on any domain, SSO, audit export. Aimed at solo practitioners and 2–20 person firms whose staff are already using consumer agents on work accounts.

Why now

Atlas shipped Agent Mode to Plus/Pro/Business users and OpenAI publicly hardened the browser against prompt injection in early 2026, conceding the attack surface is real and ongoing. Perplexity rolled Comet to iOS in March 2026, and a federal judge in the Northern District of California issued a preliminary injunction the same week blocking Comet's agent from Amazon — explicitly distinguishing "user permission" from "platform authorization." Enterprise agent-governance frameworks are being written right now (budget caps, scope restriction, runtime spend controls), but the consumer version doesn't exist; the agents themselves are racing to add capability, not brakes.

Risks & open questions

• Detecting "agent vs. human" reliably is a moving target. Atlas, Comet, and Operator each use different driver signatures, and they will quietly change. Heuristics must degrade gracefully into "ask the user" rather than miss silently.
• Vendor relations: if AgentLeash is too good at intercepting, agent vendors may treat it as adversarial and break compatibility. Need a public "compatibility commitment" so users know which agents currently work.
• Liability framing: if the extension fails to stop a bad purchase, do users blame us? Position as "second seatbelt", not "the brakes."
• Distribution: Chrome Web Store discovery for safety tools is weak. Likely needs a hook — e.g., the weekly "what your agents did" digest as a share-friendly screenshot.
• Hidden-form / shadow-DOM checkout pages (Stripe Elements, Apple Pay sheets) won't expose the $ amount cleanly. Tripwire needs a fallback heuristic on payment-domain network requests.

Next step

Validate by instrumenting Atlas Agent Mode and Comet against a fixture set of 25 real workflows (Amazon-style cart, OpenTable booking, Gmail compose, brokerage transfer, gift-card redeem), measuring agent-detection precision/recall and the false-positive rate of the spend tripwire. If precision ≥ 95% on the no-agent control set, promote to a weekly prototype: a static HTML "playback" demo showing the overlay catching a synthetic agent mid-checkout.

Sources

• https://www.cnbc.com/2026/03/10/amazon-wins-court-order-to-block-perplexitys-ai-shopping-agent.html — Amazon's March 2026 injunction against Perplexity's Comet agent, the precipitating legal event.
• https://www.geekwire.com/2026/judge-blocks-perplexitys-ai-bot-from-shopping-on-amazon-in-early-test-of-agentic-commerce/ — The "user permission vs platform authorization" distinction that creates real user-facing risk.
• https://www.pymnts.com/amazon/2026/amazon-injunction-could-change-the-future-of-agentic-commerce/ — Industry framing of how the ruling reshapes consumer agent commerce.
• https://openai.com/index/hardening-atlas-against-prompt-injection/ — OpenAI publicly acknowledging Atlas's ongoing prompt-injection attack surface.
• https://help.openai.com/en/articles/12591856-chatgpt-atlas-release-notes — Atlas Agent Mode availability and recent capability expansion to Plus/Pro/Business users.
• https://authoritypartners.com/insights/ai-agent-guardrails-production-guide-for-2026/ — 2026 guardrail taxonomy (spend caps, scope restriction, runtime governance) — currently enterprise-only.
• https://blogs.oracle.com/ai-and-datascience/runtime-budget-guardrails-agentic-ai — Runtime budget guardrails as a governance pattern, the analog of AgentLeash's spend tripwire.