Threat & Feasibility Brief — Confidential June 2026  ·  Cloud API mode only, not local inference

Threat & Feasibility Brief · June 2026 · Confidential

OpenClaw + Cloud APIs against authenticated bank sessions

Subject: AI browser automation (OpenClaw / Browser Use / Playwright) using Claude or OpenAI cloud APIs. Scope: Chase, Bank of America, Wells Fargo, Citibank · Cloud API mode only, not local inference.

Payload exposure
HIGH
OpenClaw CVEs
HIGH
Bank ToS / CFAA
HIGH
Bot detection
HIGH
Credential handling
MEDIUM
Session timeout
MEDIUM
Prompt injection
HIGH
SECTION 1 · HIGH

Every page the agent reads travels to the cloud API in plain text — Prompt payload

Neither Browser Use nor OpenClaw sends raw HTML. Instead, they serialize Chrome's accessibility tree — a numerically indexed snapshot of every visible DOM element — and append it to each LLM API call. Whatever the browser renders, the API receives.

Accessibility tree field valuesHIGH
FindingAccessibility tree carries full field values. The DEFAULT_INCLUDE_ATTRIBUTES list in Browser Use source includes the value attribute with no branch for type="password". A password field renders as [42]<input type=password value=Tr0ub4dor3 /> — sent verbatim to the LLM provider.
SourceBrowser Use source, confirmed GitHub issue #1566 (Playwright MCP, Apr 2026)
Vision mode screenshotsHIGH
FindingVision mode sends full screenshots. When use_vision=True (not the default but commonly enabled), a base64 PNG of the entire viewport is appended. Account balances, transaction lists, and any PII visible on screen transit to the API provider on every step.
SourceBrowser Use docs; confirmed via research
sensitive_data parameterMED
FindingThe sensitive_data parameter exists but is manual and leaky. Browser Use offers opt-in credential masking that replaces registered strings with placeholders before the API call. It is not automatic. Two confirmed bugs: controller-layer logs leaked plaintext credentials (issue #713), and the substitution silently fails with some OpenAI models — the agent types the literal placeholder string into forms with no error (issue #1062, open as of this writing).
SourceBrowser Use GitHub issues #713, #1062, #1907
Cloud profile syncHIGH
FindingBrowser Use Cloud profile sync uploads your cookie store. The cloud version's profile sync feature transmits the entire Chrome cookie store — including live authenticated bank sessions — to third-party infrastructure. This is a distinct risk from the local-agent configuration.
SourceBrowser Use Cloud documentation
Bottom Line

In cloud API mode, every agent step transmits account numbers, balances, and transaction data to the LLM provider. There is no automatic sanitization. The only reliable mitigation is running a local model (Ollama, LM Studio) so nothing leaves the machine.

SECTION 2 · MED

Both providers store your prompts by default. Neither covers banking regulation — API provider data retention

Anthropic retentionMED
FindingAnthropic retains API inputs and outputs for 7 days by default (reduced from 30 days September 14, 2025). Zero Data Retention (ZDR) is available for qualifying enterprise customers on supported endpoints (Messages API, Token Counting, Claude Code) — requires sales approval.

"By default, we will not use your inputs or outputs from our commercial products to train our models."

— Anthropic Privacy Policy, API Usage Policy (verified June 2026)
OpenAI retentionMED
FindingOpenAI retains API abuse-monitoring logs for up to 30 days. These logs can contain actual prompts and responses, not only metadata. Training opt-out (default since March 2023) and logging opt-out are separate controls — standard API keys still generate 30-day abuse logs even with training disabled.
SourceOpenAI API Data Usage Policy (verified June 2026)
Policy-violation flaggingHIGH
FindingPolicy-violation flagging overrides ZDR at both providers. Flagged content is retained up to 2 years; classifier scores up to 7 years. A bank transaction page that triggers a content classifier — say, a fraud-related merchant name — can move from 7-day to 2-year retention with no user notification.
SourceAnthropic Trust & Safety retention schedules; OpenAI terms
Banking-specific provisionsHIGH
FindingNeither provider has GLBA, FFIEC, or banking-specific contractual provisions. OpenAI explicitly prohibits PCI DSS cardholder data in API terms. Anthropic has no explicit financial prohibition but recommends a Data Processing Agreement (DPA) for sensitive data. Both DPAs are GDPR instruments only — no US banking regulator provisions exist in standard contracts.
SourceOpenAI App Developer Terms; Anthropic DPA; verified June 2026
Assessment

Practical assessment: Anthropic's 7-day default is the better starting point if ZDR cannot be negotiated. For any workload subject to GLBA or bank examiner review, neither provider's standard contract is sufficient. Custom enterprise terms with negotiated DPA language would be required before this could be considered compliant.

SECTION 3 · HIGH

Chase now names AI agents explicitly. Detection is essentially certain — Bank ToS & legal exposure

The ToS landscape shifted materially in 2025–2026. Banks have moved from generic "unauthorized access" language to explicit AI-agent prohibitions, and technical enforcement has followed legal updates.

Chase ToS (March 2026)HIGH
FindingChase Terms of Use (March 2026) explicitly name AI agents.

"agents, including AI agents or agentic AI, robots, spiders, scripts, services, software or any manual or automatic device."

— Chase Terms of Use, March 2026
DetailAI agents must also self-identify — they cannot present as human users. This is new language, added in response to browser-based agent activity.
Wells Fargo C&DHIGH
FindingWells Fargo sent a cease-and-desist to Trustly (October 2025) for screen scraping. Chase has stated it has "fully eliminated screen scraping" via Akoya for enrolled accounts — meaning unauthorized automated access is not merely ToS-prohibited but technically impossible through standard web paths for those accounts.
SourceAmerican Banker, October 2025; Chase/Akoya announcement
CFAA liabilityHIGH
FindingCFAA liability is the central legal risk — and it is unsettled. Amazon v. Perplexity (Ninth Circuit, active June 2026) is testing whether a user's explicit authorization to an AI agent extends CFAA access rights to the agent. The district court ruled no (March 2026). If that position is affirmed, banks have a federal weapon against AI agents on authenticated accounts even with the account holder's consent.
Sourcenohacks.co CFAA analysis; Ninth Circuit docket
ThreatMetrix detectionHIGH
FindingLexisNexis ThreatMetrix is deployed at 9 of 10 top US banks and operates at a network level that browser spoofing cannot defeat. Key 2025 signal: CDP (Chrome DevTools Protocol) detection via V8 serialization leaks through a custom getter on JavaScript's Error object, detectable without DOM inspection. TLS/JA4 fingerprinting (server-side, unbypassable), WebGL renderer checks, and behavioral biometrics (mouse linearity, keystroke timing) complete the detection stack.
SourceLexisNexis ThreatMetrix; Security Boulevard (March 2025)
Note

The only compliant path for production use is an explicit data-sharing agreement: Plaid, MX, Finicity, or the bank's own API. CFPB Rule 1033 would standardize this, but its legal status remains uncertain as of June 2026.

SECTION 4 · MED

The agent sees your password unless you architect around it. MFA usually requires a human — Credential handling & MFA

Playwright MCP plaintextHIGH
FindingUnpatched Playwright MCP serializes password field values as plaintext. The ariaSnapshot accessibility tree serializes <input type="password"> values directly (GitHub issue #1566, April 2026). Issue is closed but resolution details are not public — verify your specific version before deploying.
SourcePlaywright MCP GitHub issue #1566 (April 2026)
sensitive_data mechanismMED
FindingBrowser Use's sensitive_data mechanism protects credentials when configured correctly. Domain pinning is enforced; the LLM sees only placeholders like x_user/x_pass; real values are injected after reasoning. However, this requires explicit setup, use_vision=False on login pages, and a patched version (bugs #713, #1907).
SourceBrowser Use documentation, GitHub issues
TOTP MFAMED
FindingTOTP (authenticator app) MFA can be automated. Supply the raw TOTP secret; Browser Use generates a fresh code via bu_2fa_code placeholder at input time, masked from the LLM. SMS OTP, push notifications, and hardware security keys cannot be automated — they require human-in-the-loop intervention.
SourceBrowser Use documentation
Session cookie exportLOW
FindingSession cookie export is the safest credential approach. Authenticate once as a human, export storage_state.json, reuse across agent sessions. MFA is already satisfied; no credential ever passes through the automation stack during the agent's run.
SourceBrowser Use / Playwright documentation
Safest

Safest configuration: local model + session cookie export + read-only agent scope + use_vision=False on any page containing account data. This eliminates the credential-to-cloud and screenshot-to-cloud risks simultaneously.

SECTION 5 · HIGH

OpenClaw has 138+ CVEs in 2026. The marketplace distributed banking malware — Known incidents & OpenClaw security posture

OpenClaw is not a peripheral concern for this assessment — it is the central security liability. The framework's own security record makes cloud API data-handling a secondary risk.

Critical

Critical context: Security advisors from Microsoft, Kaspersky, CrowdStrike, Cisco, and NVIDIA have explicitly recommended against connecting OpenClaw to banking or healthcare systems. OpenClaw stores OAuth credentials in plaintext JSON by default and has no enterprise-grade kill switch.

CVECVSSType
CVE-2026-329229.9Privilege escalation — Admin RCE via single API call
CVE-2026-221729.9Auth bypass — admin control without credentials
CVE-2026-441129.6"Claw Chain" — worst of a 4-CVE attack chain
CVE-2026-252538.8One-click WebSocket hijacking — auth token exfiltrated in milliseconds
ClawHavoc (Jan 2026)HIGH
FindingClawHavoc (January 2026): 341 malicious skills distributed through the ClawHub marketplace, including macOS Atomic Stealer and Windows keyloggers specifically targeting banking passwords. Finance-sector deployments confirmed by Bitsight.
SourceBitsight threat report, January 2026
Moltbook breach (Jan 2026)HIGH
FindingMoltbook breach (January 2026): 1.5 million agent API tokens exposed, including OAuth tokens linked to connected financial accounts. 21,639 OpenClaw instances were found publicly exposed with plaintext API keys and OAuth credentials.
SourceSecurity researcher disclosure, January 2026
Prompt injectionHIGH
FindingPrompt injection is architecturally unfixable in browser agents. arXiv paper 2505.13076 ("Hidden Dangers of Browsing AI Agents") establishes that prompt injection via page content is structurally fundamental, not patchable. Transaction memo fields, payee names, and any user-generated content visible to the agent are injection vectors. A real incident involving hidden email instructions caused autonomous approval of $2.3M in fraudulent wire transfers.
SourcearXiv 2505.13076; Guardio Labs Comet research (August 2025)
Giskard analysisHIGH
FindingGiskard analysis found cross-session secret leakage in OpenClaw in multi-user gateway deployments, plus a WebSocket RCE vector (separate from the CVEs above).
SourceGiskard AI security analysis, 2026
SECTION 6 · MED

An unoptimized 20-step task overlaps the bank's idle-timeout window — Latency & session timeout

Inference latencyMED
TTFTAPI inference latency (time to first token): Claude Haiku 4.5: ~597ms median · Claude Sonnet 4: ~900ms median · GPT-4 Turbo: ~350–500ms · GPT-4.1: ~1,670ms
Per-stepFull per-step wall-clock time (inference + browser + network): Optimized gateway (Browser Use 0.8.0): ~3 seconds/step, ~20 steps/minute. Unoptimized custom agent: 15–30 seconds/step.
SourceAPI benchmark data, April–May 2025
Bank session timeoutsMED
FindingBank session timeouts run 5–15 minutes. An unoptimized 20-step task (15–30s/step) takes 5–10 minutes — directly inside the timeout window. Banks using idle detection may time out faster during LLM reasoning pauses when no DOM interaction occurs.
SourceResearch synthesis; bank UI behavior
MitigationsLOW
FindingMitigations exist and are documented: keep_alive flags, cookie/localStorage persistence across agent handoffs, and human-in-the-loop re-auth tools (BrowserAct) handle the re-authentication case. With an optimized agent (~3s/step), a 20-step task completes in ~1 minute — well within any bank timeout window.
SourceBrowserAct docs; Browser Use 0.8.0 release notes
Assessment

Assessment: Session timeout is a real operational problem at the default configuration but is solvable with the optimized stack. It is the least severe risk on this list, and the one most directly under engineering control.

DECISION BRIEF

Cloud API mode against production bank accounts: do not deploy without structural changes

The aggregated risk

The aggregated risk is not one large problem — it is six independent problems that compound. Any single one (ToS violation, CFAA exposure, payload leakage to the API provider, OpenClaw's CVE surface, prompt injection on financial pages, bot detection) would individually warrant a no-go. All six are present simultaneously in the default cloud-API configuration.

Block in cloud API mode

  • Production bank accounts with real credentials
  • Any OpenClaw deployment with OAuth tokens to bank accounts
  • Vision mode (use_vision=True) on any page with account data
  • Browser Use Cloud profile sync for bank profiles
  • Any multi-user OpenClaw gateway without CVE-2026-22172 patch

Conditionally viable (local model only)

  • Read-only statement download with local model + session cookies
  • TOTP-based auth automation if secret never reaches cloud API
  • Plaid/MX/Finicity API access (the only fully compliant path)
  • Sandboxed testing against bank demo/sandbox environments

Research Synthesized From

Browser Use GitHub — issues #713, #1062, #1566, #1907 Anthropic & OpenAI privacy policies (June 2026) Chase Terms of Use (March 2026) LexisNexis ThreatMetrix documentation arXiv 2505.13076 arXiv 2604.03070 Bitsight ClawHavoc report (Jan 2026) Giskard AI analysis American Banker (Oct 2025, Mar 2026) OWASP LLM Top 10 2025 Amazon v. Perplexity Ninth Circuit filings (June 2026)