Security

Security model

Scout's security posture is a direct consequence of its extension architecture. Running inside your browser means your data, sessions, and credentials never leave your machine.

Security principles

Every architectural decision in Scout was made with security as a first-class constraint, not an afterthought.

No remote browser infrastructure

Scout runs in your browser. No traffic routes through third-party servers. No screenshots of your pages stored on external infrastructure. Your data stays in your browser.

No credential forwarding

Your authenticated sessions, cookies, and tokens are never transmitted to Scout's servers. The extension operates locally within your browser's security context.

Least-privilege permissions

Scout requests only the Chrome extension permissions it needs: debugger API for CDP access, tabs for tab management. No blanket permissions, no content script injection by default.

URL scheme firewall

Governance layer blocks navigation to sensitive URL schemes (chrome://, file://, chrome-extension://). Configurable allowlists prevent automation from reaching internal browser pages.

Credit-based rate limiting

Built-in governance prevents runaway automation. Credit limits cap the number of tool calls per time period. No accidental infinite loops consuming resources.

Session isolation

Each CDP session is scoped to a single tab. Sessions cannot access other tabs' content, cookies, or execution contexts. Clean teardown on disconnect.

End-to-end encryption

All communication between the extension and orchestration server uses WSS (WebSocket Secure). TLS encryption for all data in transit.

Deterministic error handling

Failed operations return explicit errors, never silently succeed. The agent always knows the true state of browser interactions.

Extension permissions

Chrome extension permissions Scout requires, with rationale and risk assessment for each.

debugger

Allows using chrome.debugger to attach CDP sessions to tabs.

Why: Core CDP access. Cannot be scoped further.

High power, low risk — isolated per session.

tabs

Access the list of open tabs and their URLs and titles.

Why: Required for browser-tabs and browser-attach tools.

Read-only metadata. No tab content access.

activeTab

Access the active tab when the user invokes the extension.

Why: Scoped tab access on user gesture.

Only active tab, only on invocation.

storage

Store local session state, connection metadata, and settings.

Why: Extension needs to persist connection config across restarts.

Local only. Never synced to Scout servers.

identity

OAuth2 authentication for user identity.

Why: Google sign-in for account linking.

Standard OAuth flow. No raw credential access.

clipboardRead/Write

Read from and write to the system clipboard.

Why: Required for browser-clipboard tool.

Only triggered by explicit tool calls.

scripting

Inject scripts into web pages programmatically.

Why: Content script injection for in-page features.

Scoped to active page context.

sidePanel

Show the side panel for session status and monitoring.

Why: User-visible UI only. No data collection.

UI surface only.

cookies

Read and write browser cookies for any domain.

Why: Required for browser-cookies tool.

Scoped per tool call. No bulk access.

webNavigation

Observe navigation events across tabs.

Why: Track page lifecycle for session management.

Read-only navigation events.

contextMenus

Add items to the browser context menu.

Why: Quick-access actions from right-click menu.

UI surface only.

downloads

Monitor and manage file downloads.

Why: Required for browser-download tool.

Scoped to downloads initiated by tool calls.

notifications

Show browser notifications.

Why: Alert user to completed jobs or errors.

User-visible alerts only.

tabGroups

Organize tabs into groups.

Why: Tab organization for multi-session workflows.

UI management only.

Threat model

Known attack vectors, scenarios of concern, and the mitigations Scout applies.

Prompt injection

Malicious prompt instructs Scout to exfiltrate data

Mitigations

✓Governance URL allowlist blocks navigation to private IP ranges and chrome:// URLs

✓Rate limits prevent bulk data exfiltration through tool calls

✓Command validation rejects malformed or out-of-scope CDP commands

Session hijacking

Attacker intercepts or replays WebSocket commands

Mitigations

✓Sessions are identified per WebSocket connection

✓The extension only accepts commands from the authenticated WebSocket session

✓WSS with certificate validation on all connections

Resource exhaustion

Agent enters an infinite loop consuming browser resources

Mitigations

✓Credit limits cap total tool call volume per time window

✓Governance layer enforces maximum crawl depth and page count

✓Rate limiting at the MCP server level

Cross-session data leak

One agent session accesses another session's data

Mitigations

✓CDP sessions are isolated per tab by Chrome's debugger API

✓Session teardown on disconnect clears all session state

✓No cross-session state sharing except explicit observational memory

Security disclosure

If you discover a security vulnerability in Scout, please report it via responsible disclosure. We aim to respond within 48 hours and provide a fix within 14 days for critical issues.

security@scout.i.ng