Secure Agent Setup: Profiles, Permissions & "Do-Not-Automate" Zones

Threat model recap

Agents that read pages and act can be steered by attacker-controlled content; safe agent setup reduces the chance that a hidden page instruction or a clickjacked autofill results in data loss or unintended actions.

High-level rules that guide every setup

• Compartmentalizeagents run in a separated environment (profile, VM, or container).
• Least privilegegive the agent the smallest set of capabilities it needs for the task.
• Human-in-the-looprequire explicit user confirmation for any write / sensitive / external-facing action.
• Do-Not-Automate listsforbid agent activity on sensitive domains by policy.
• Kill switcha single, reliable way to pause/disable the agent immediately.

Create a dedicated "Agents" browser profile (5 minutes)

This is the single highest-leverage step for browser agents. It keeps sessions, cookies, extensions and autofill behavior isolated so a compromised page in the Agents profile cannot read your bank sessions in your personal profile.

• Open browser → Profile menu → Add / Manage profiles → Create profile called Agents.
• In Agents profiledo not sign in with your main Google/Apple account; keep it local.
• Install only the agent extension(s) you needDo not install your primary password manager (or keep it locked).
• Disable autofillSettings → Autofill → Passwords → Auto Sign-in = OFF; require manual click-to-fill.
• For password manager useeither don't install it in the Agents profile, or install but set Require confirmation and Lock on idle = 1 min.
• Create a Kill Switch bookmarklet (below) and pin it in the Agents profile bookmarks.

Agent permissions & conservative defaults

Start with these defaults and only relax them with explicit, temporary approval. These agent-specific defaults mirror the broader per-permission risk guidance in our Permission Deep Dive - which covers all permission types across consumer apps as well.

Kill switch options

A. Browser bookmarklet (recommended)

Create a bookmark with this snippet:

And a resume bookmarklet:

B. Global hotkey (desktop agents)

Use agent's built-in Pause/Hotkey (e.g., Ctrl+Alt+P) or OS-level shortcut tool to run an agent pause API call. For desktop apps, ensure the hotkey revokes screenshot/clipboard permissions and kills agent threads.

Test your kill switch: practice toggling while agent is idle and verify it prevents subsequent actions.

"Do-Not-Automate" zones

Define a per-user list of domains where the agent refuses to act. This is the most robust mitigation for accidental exposure.

Enforcement rules:

• Agent must not read, summarize, click, run JS, or take screenshots on these domains.
• If user requests an action on a Do-Not-Automate site, the agent must warn the user, offer a manual workflow instead, and require an explicit override with a human confirmation.

Per-agent safe setup templates

A. Claude in Chrome - secure setup (10 minutes)

• Create Agents profile (see above).
• Install Claude extension only in Agents profile.
• In Claude extension settingsdisable Automatic Actions / Auto-run JS; set Screenshots & Clipboard to Ask every time; set Action Confirmation = ON.
• Password managerset Require confirmation for autofill + Lock on idle = 1 minute.
• Do-Not-Automateadd bank.com, payroll.company, mail.company to list.
• Kill Switchcreate the localStorage bookmarklet and pin it in the Agents profile.
• Testopen a benign page, click Kill Switch, and confirm the agent refuses to act.

B. Desktop Agent (system assistant that reads screen)

• Run agent in a separate desktop account/VMCreate a non-primary OS user or a sandbox VM for all agent activity.
• OS permissionsrevoke agent's screenshot/camera/microphone/clipboard access by default. Grant only when needed and for explicit time windows.
• Hotkey Pauseconfigure a global hotkey to pause the agent's process and revoke permissions instantly.
• Do-Not-Automateuse a hosts/file or agent config to block sensitive domains.
• Vault & Secretsdo not map your main password manager into the agent VM. Use an escrow vault with precise, logged access only when explicitly requested.

C. Agent browser extension (AutoAgent-style)

• Install in Agents profile only.
• Extension optionsset Action Confirmation and Disable Auto-Fill.
• UI renderingprefer extension-chrome popup UI for fills, not in-page injected UI.
• Permission granularitydeny activeTab / scripting.executeScript by default; require per-origin grant.
• Kill Switchtoolbar toggle + bookmarklet as fallback.

Agent check pseudocode

Daily / monthly routines

Daily (1–2 minutes)

• Confirm agent is paused when leaving workstation.
• Lock vaults; clear clipboard.

Monthly (10 minutes)

• Run Risk Checkup to find exposed credentials.
• Review agent activity logs and any "action summary" approvals.
• Review Do-Not-Automate list and add newly discovered sensitive domains.

Agent Safe Setup - 8 Quick Steps

• 1 Create a dedicated Agents browser profile; do not log into banking/admin.
• 2 Disable automatic JS execution & automatic actions in agent settings.
• 3 Disable screenshot/clipboard/file access unless explicitly approved.
• 4 Enable human confirmation for every sensitive action.
• 5 Disable autofill and require confirmation for password-manager fills.
• 6 Add Do-Not-Automate domains (bank/payroll/health/admin).
• 7 Install Kill Switch bookmarklet & test it.
• 8 Monthly: run Risk Checkup + review agent logs.

Get your agent safety setup right

Per-agent checklists, Risk Checkup, masked identities, and virtual cards - all at Ivy.