Threat & Feasibility Brief · June 2026 · Confidential
Subject: AI browser automation (OpenClaw / Browser Use / Playwright) using Claude or OpenAI cloud APIs. Scope: Chase, Bank of America, Wells Fargo, Citibank · Cloud API mode only, not local inference.
Neither Browser Use nor OpenClaw sends raw HTML. Instead, they serialize Chrome's accessibility tree — a numerically indexed snapshot of every visible DOM element — and append it to each LLM API call. Whatever the browser renders, the API receives.
DEFAULT_INCLUDE_ATTRIBUTES list in Browser Use source includes the value attribute with no branch for type="password". A password field renders as [42]<input type=password value=Tr0ub4dor3 /> — sent verbatim to the LLM provider.use_vision=True (not the default but commonly enabled), a base64 PNG of the entire viewport is appended. Account balances, transaction lists, and any PII visible on screen transit to the API provider on every step.sensitive_data parameter exists but is manual and leaky. Browser Use offers opt-in credential masking that replaces registered strings with placeholders before the API call. It is not automatic. Two confirmed bugs: controller-layer logs leaked plaintext credentials (issue #713), and the substitution silently fails with some OpenAI models — the agent types the literal placeholder string into forms with no error (issue #1062, open as of this writing).In cloud API mode, every agent step transmits account numbers, balances, and transaction data to the LLM provider. There is no automatic sanitization. The only reliable mitigation is running a local model (Ollama, LM Studio) so nothing leaves the machine.
"By default, we will not use your inputs or outputs from our commercial products to train our models."
— Anthropic Privacy Policy, API Usage Policy (verified June 2026)Practical assessment: Anthropic's 7-day default is the better starting point if ZDR cannot be negotiated. For any workload subject to GLBA or bank examiner review, neither provider's standard contract is sufficient. Custom enterprise terms with negotiated DPA language would be required before this could be considered compliant.
The ToS landscape shifted materially in 2025–2026. Banks have moved from generic "unauthorized access" language to explicit AI-agent prohibitions, and technical enforcement has followed legal updates.
"agents, including AI agents or agentic AI, robots, spiders, scripts, services, software or any manual or automatic device."
— Chase Terms of Use, March 2026Error object, detectable without DOM inspection. TLS/JA4 fingerprinting (server-side, unbypassable), WebGL renderer checks, and behavioral biometrics (mouse linearity, keystroke timing) complete the detection stack.The only compliant path for production use is an explicit data-sharing agreement: Plaid, MX, Finicity, or the bank's own API. CFPB Rule 1033 would standardize this, but its legal status remains uncertain as of June 2026.
ariaSnapshot accessibility tree serializes <input type="password"> values directly (GitHub issue #1566, April 2026). Issue is closed but resolution details are not public — verify your specific version before deploying.sensitive_data mechanism protects credentials when configured correctly. Domain pinning is enforced; the LLM sees only placeholders like x_user/x_pass; real values are injected after reasoning. However, this requires explicit setup, use_vision=False on login pages, and a patched version (bugs #713, #1907).bu_2fa_code placeholder at input time, masked from the LLM. SMS OTP, push notifications, and hardware security keys cannot be automated — they require human-in-the-loop intervention.storage_state.json, reuse across agent sessions. MFA is already satisfied; no credential ever passes through the automation stack during the agent's run.Safest configuration: local model + session cookie export + read-only agent scope + use_vision=False on any page containing account data. This eliminates the credential-to-cloud and screenshot-to-cloud risks simultaneously.
OpenClaw is not a peripheral concern for this assessment — it is the central security liability. The framework's own security record makes cloud API data-handling a secondary risk.
Critical context: Security advisors from Microsoft, Kaspersky, CrowdStrike, Cisco, and NVIDIA have explicitly recommended against connecting OpenClaw to banking or healthcare systems. OpenClaw stores OAuth credentials in plaintext JSON by default and has no enterprise-grade kill switch.
| CVE | CVSS | Type |
|---|---|---|
| CVE-2026-32922 | 9.9 | Privilege escalation — Admin RCE via single API call |
| CVE-2026-22172 | 9.9 | Auth bypass — admin control without credentials |
| CVE-2026-44112 | 9.6 | "Claw Chain" — worst of a 4-CVE attack chain |
| CVE-2026-25253 | 8.8 | One-click WebSocket hijacking — auth token exfiltrated in milliseconds |
keep_alive flags, cookie/localStorage persistence across agent handoffs, and human-in-the-loop re-auth tools (BrowserAct) handle the re-authentication case. With an optimized agent (~3s/step), a 20-step task completes in ~1 minute — well within any bank timeout window.Assessment: Session timeout is a real operational problem at the default configuration but is solvable with the optimized stack. It is the least severe risk on this list, and the one most directly under engineering control.
The aggregated risk is not one large problem — it is six independent problems that compound. Any single one (ToS violation, CFAA exposure, payload leakage to the API provider, OpenClaw's CVE surface, prompt injection on financial pages, bot detection) would individually warrant a no-go. All six are present simultaneously in the default cloud-API configuration.
use_vision=True) on any page with account dataResearch Synthesized From