fix(browser): neutralize media directives in browser output [AI]

[pgondhi987]

Summary

• Neutralizes line-start MEDIA: directives before browser-originated snapshot and tabs text is returned to agents.
• Applies the same defanging to direct AI snapshot text and browser JSON string fields while preserving structured details for callers.
• Adds focused browser tool regression coverage for AI snapshots, ARIA snapshots, and tabs output.
• AI-assisted change.

Linked context

Maintainer-requested browser tool hardening.

Real behavior proof (required for external PRs)

Behavior addressed: Browser-controlled text returned by the browser tool can no longer surface line-start MEDIA: directives unchanged in model-facing output.
Real environment tested: Local OpenClaw source checkout with an isolated dev Gateway, managed Playwright Chromium, and a loopback HTTP page exercising the browser tool's live ARIA snapshot path.
Exact steps or command run after this patch: pnpm exec playwright install chromium; pnpm exec playwright install-deps chromium; pnpm openclaw --dev config set browser.noSandbox true; pnpm openclaw --dev config set browser.headless true; pnpm openclaw --dev config set browser.ssrfPolicy.allowedHostnames '["127.0.0.1"]'; pnpm openclaw --dev gateway run --dev --force --auth none --bind loopback --ws-log compact; python3 -m http.server 8765 --bind 127.0.0.1 --directory /tmp/openclaw-browser-proof; OPENCLAW_CONFIG_PATH=/home/ubuntu/.openclaw-dev/openclaw.json pnpm tsx /tmp/openclaw-browser-proof/proof.ts; node scripts/run-vitest.mjs extensions/browser/src/browser-tool.test.ts.
Evidence after fix: The live browser proof opened http://127.0.0.1:8765/ through createBrowserTool, captured an ARIA snapshot from page-controlled text containing a newline followed by MEDIA:/tmp/openclaw-proof.png, and returned ariaWrapped: true, ariaHasNeutralizedDirective: true, ariaHasRawEscapedDirective: false, ariaDetailsKind: "snapshot", and ariaNodeCount: 21. The focused browser tool test shard also passed with 69 tests.
Observed result after fix: Browser snapshot output is wrapped as external content with the page-controlled line-start media directive neutralized before model-facing delivery; structured snapshot details remain available for callers.
What was not tested: Manual channel rendering was not exercised; the live proof targets the browser agent-tool output boundary changed by this PR.
Proof limitations or environment constraints: Runtime proof used a local loopback page and a dev browser profile with loopback explicitly allowlisted.
Before evidence (optional but encouraged): Existing tests covered external wrapping and screenshot vision defanging, but not these browser action output paths.

Tests and validation

• node scripts/run-vitest.mjs extensions/browser/src/browser-tool.test.ts
• Live browser runtime proof through createBrowserTool against a loopback page with page-controlled newline MEDIA: content.

Regression coverage was added for AI snapshot text, ARIA snapshot JSON string fields, and tabs JSON string fields.

Risk checklist

Did user-visible behavior change? (Yes/No): Yes, browser tool text output now prefixes line-start MEDIA: directives from page-controlled content with [neutralized].
Did config, environment, or migration behavior change? (Yes/No): No.
Did security, auth, secrets, network, or tool execution behavior change? (Yes/No): Yes, this changes browser tool output sanitization only.
What is the highest-risk area? Browser tool consumers that inspect exact returned text.
How is that risk mitigated? Structured details are preserved unchanged, and the text-only change matches the existing screenshot vision sanitization behavior.

Current review state

What is the next action? Await GitHub Actions and reviewer confirmation of the added live browser proof.
What is still waiting on author, maintainer, CI, or external proof? GitHub Actions and maintainer review.
Which bot or reviewer comments were addressed? Added live browser runtime proof requested by the automated review.

[clawsweeper]

Codex review: needs changes before merge. Reviewed June 8, 2026, 9:37 AM ET / 13:37 UTC.

Summary
The PR imports the browser media-directive neutralizer into browser tool actions, applies it to AI snapshot text and string values before wrapped browser JSON output, and adds regression tests for ARIA snapshots, AI snapshots, and tabs output.

PR surface: Source +6, Tests +61. Total +67 across 2 files.

Reproducibility: yes. from source inspection: act:evaluate route handlers can return page-controlled strings in result, and the tool action path still serializes those results with raw jsonResult. I did not run a live reproduction because this review was required to keep the checkout read-only.

Review metrics: 1 noteworthy metric.

• Browser JSON output coverage: 3 covered, 1 still raw. Snapshots, tabs, and console use the new browser JSON wrapper, but act:evaluate can still return page-controlled strings through jsonResult.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🐚 platinum hermit
Patch quality: 🧂 unranked krab
Result: blocked by patch quality or review findings.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Neutralize normal and retry act JSON result text while preserving raw structured details.
• [P2] Add focused browser-tool regression coverage for an act:evaluate result string containing newline MEDIA:/tmp/secret.png.

Risk before merge

• [P1] The claimed browser-output hardening remains incomplete: maintainers could merge it thinking browser-controlled JSON string fields are covered while act:evaluate still returns page-controlled strings through raw jsonResult text.

Maintainer options:

1. Decide the mitigation before merge
   Route every browser-originated JSON text result covered by the browser tool boundary, including act normal and retry results, through one neutralizing wrapper while preserving structured details unchanged.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

• [P2] There is a narrow mechanical repair: use the same browser neutralizing text wrapper for executeActAction JSON results and add one focused regression test.

Security
Needs attention: The diff uses the existing sanitizer, but leaves a concrete browser-output security gap for page-returned act:evaluate strings.

Review findings

• [P1] Route act results through the browser neutralizer — extensions/browser/src/browser-tool.actions.ts:208-213

Review details

Best possible solution:

Route every browser-originated JSON text result covered by the browser tool boundary, including act normal and retry results, through one neutralizing wrapper while preserving structured details unchanged.

Do we have a high-confidence way to reproduce the issue?

Yes from source inspection: act:evaluate route handlers can return page-controlled strings in result, and the tool action path still serializes those results with raw jsonResult. I did not run a live reproduction because this review was required to keep the checkout read-only.

Is this the best way to solve the issue?

No as written: the patch is an acceptable partial mitigation for snapshot/tabs/console text, but the best fix is to make the browser output neutralization boundary cover act JSON results too. The structured details can still preserve raw values for callers.

Full review comments:

• [P1] Route act results through the browser neutralizer — extensions/browser/src/browser-tool.actions.ts:208-213
wrapBrowserExternalJson now neutralizes browser JSON strings, but the act path still returns jsonResult(result) for both normal and retry results. The /act route can put page-controlled evaluate output in result, so () => document.body.innerText on a page containing a line-start MEDIA:/tmp/secret.png still reaches the agent as raw JSON text. Please reuse the browser neutralizing wrapper for act results while preserving structured details.
  Confidence: 0.87

Overall correctness: patch is incorrect
Overall confidence: 0.86

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 9a82b60024b5.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The updated PR body includes live dev Gateway and managed Chromium loopback proof showing an ARIA snapshot with page-controlled line-start MEDIA: text was neutralized after the patch.
• add status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (live_output): The updated PR body includes live dev Gateway and managed Chromium loopback proof showing an ARIA snapshot with page-controlled line-start MEDIA: text was neutralized after the patch.
• remove status: 📣 needs proof: Current PR status label is status: ⏳ waiting on author.

Label justifications:

• P2: This is a normal-priority browser plugin security hardening PR with a concrete merge blocker but no evidence of a release-wide outage, data loss, or crash loop.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🐚 platinum hermit and patch quality is 🧂 unranked krab.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (live_output): The updated PR body includes live dev Gateway and managed Chromium loopback proof showing an ARIA snapshot with page-controlled line-start MEDIA: text was neutralized after the patch.
• proof: sufficient: Contributor real behavior proof is sufficient. The updated PR body includes live dev Gateway and managed Chromium loopback proof showing an ARIA snapshot with page-controlled line-start MEDIA: text was neutralized after the patch.

Evidence reviewed

PR surface:

Source +6, Tests +61. Total +67 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	8	2	+6
Tests	1	61	0	+61
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	2	69	2	+67

Security concerns:

• [medium] act:evaluate output can still carry raw MEDIA directives — extensions/browser/src/browser-tool.actions.ts:598
  Browser action results still go through jsonResult, while the route can return page-controlled evaluate strings in result; this leaves a model-facing browser output path outside the new media-directive neutralizer.
  Confidence: 0.84

Acceptance criteria:

• [P1] node scripts/run-vitest.mjs extensions/browser/src/browser-tool.test.ts.
• [P1] git diff --check.

What I checked:

• Proposed sanitizer coverage: The PR changes wrapBrowserExternalJson to neutralize string values before JSON stringification and changes direct AI snapshot text to call neutralizeMediaDirectives before wrapping. (extensions/browser/src/browser-tool.actions.ts:208, 734eca7359b0)
• Regression coverage added: The PR adds focused tests for ARIA snapshot, AI snapshot, and tabs output containing line-start MEDIA: text while preserving raw structured details for tabs. (extensions/browser/src/browser-tool.test.ts:1621, 734eca7359b0)
• Remaining unneutralized browser JSON path: After the proposed patch, executeActAction still returns normal and retry action results with jsonResult, not the browser neutralizing JSON wrapper. (extensions/browser/src/browser-tool.actions.ts:598, 734eca7359b0)
• Page-controlled evaluate result source: The browser /act route places both existing-session and managed-browser evaluate results in a JSON result field returned to the tool caller. (extensions/browser/src/browser/routes/agent.act.ts:641, 9a82b60024b5)
• Raw JSON result contract: jsonResult stringifies payloads directly into model-facing text and keeps the original payload as details, so it does not apply browser-specific media directive neutralization. (src/agents/tools/common.ts:417, 9a82b60024b5)
• Real behavior proof update: The PR body/comment reports a live dev Gateway plus managed Chromium loopback proof where an ARIA snapshot containing newline MEDIA:/tmp/openclaw-proof.png returned ariaHasNeutralizedDirective: true and ariaHasRawEscapedDirective: false, plus the focused browser tool shard passed. (734eca7359b0)

Likely related people:

• vincentkoc: Authored the current split-out browser action formatting file and the existing neutralizeMediaDirectives helper now reused by this PR. (role: recent area contributor; confidence: high; commits: 2b43315933d4, 2e08f0f4221f; files: extensions/browser/src/browser-tool.actions.ts, extensions/browser/src/browser/vision.ts, extensions/browser/src/browser-tool.test.ts)
• steipete: Authored the browser plugin runtime/test extraction and several browser tool refactors that precede the current browser action boundary. (role: feature-history owner; confidence: medium; commits: 197510f69302, 9a7ceceffaa8, 4dbe8f9f665c; files: extensions/browser/src/browser-tool.ts, extensions/browser/src/browser-tool.test.ts)
• pgondhi987: Besides authoring this PR, this contributor has prior merged browser route hardening work in the same plugin area. (role: recent adjacent contributor; confidence: medium; commits: b75ad800a590; files: extensions/browser/src/browser/routes/agent.act.ts, extensions/browser/src/browser/pw-tools-core.interactions.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[pgondhi987]

Updated the PR body with live browser runtime proof.

Proof exercised createBrowserTool against a loopback page through the dev Gateway and managed Chromium. The page-controlled ARIA snapshot content included a newline followed by MEDIA:/tmp/openclaw-proof.png; the observed result was ariaWrapped: true, ariaHasNeutralizedDirective: true, ariaHasRawEscapedDirective: false, ariaDetailsKind: "snapshot", and ariaNodeCount: 21.

Focused validation still passes: node scripts/run-vitest.mjs extensions/browser/src/browser-tool.test.ts.

@clawsweeper review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27141088715
• Updated: 2026-06-08T13:38:35.562Z

[pgondhi987]

Verification update for head 734eca7359b0fa385d3493a7bed7ba62eee76b6c:

• Security gate dry-run: PASS, scope HARDEN, fix verdict SOLVES, backward compatibility PASS.
• Security gate real run: PASS, scope HARDEN, fix verdict SOLVES, backward compatibility PASS, actionable automated-review comments 0.
• Review-pr: PASS in review-only mode with artifacts under the canonical .worktrees/pr-91422 location; recommendation ready with 0 findings.
• Autoreview: PASS via timeout 1800 .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main; clean result, no accepted/actionable findings.
• Local validation: PASS via node scripts/run-vitest.mjs extensions/browser/src/browser-tool.test.ts with 69 tests.
• Real behavior proof: PASS through createBrowserTool against a loopback page in an isolated dev Gateway + managed Chromium run. The ARIA snapshot output had ariaWrapped: true, ariaHasNeutralizedDirective: true, ariaHasRawEscapedDirective: false, ariaDetailsKind: "snapshot", and ariaNodeCount: 21.

CI note: the PR CI rerun still fails in unchanged src/commands/agent-via-gateway.test.ts SIGTERM/local-agent assertions. This PR diff is limited to extensions/browser/src/browser-tool.actions.ts and extensions/browser/src/browser-tool.test.ts, so I treated that shard as unrelated to this browser output hardening change. Routine cancelled automation/proof checks were ignored.

No config, environment, migration, auth, provider, plugin contract, storage, or channel-delivery behavior changed. Structured browser details are preserved; the intentional behavior change is limited to model-visible browser text that contains line-start MEDIA: directives.