Triple-Lock Security
Comet AI implements a defense-in-depth approach with three independent security layers. Even if one layer is compromised, the others provide protection.
3
Security Layers
0
Unprotected Actions
100%
Human Approval Rate
Defense in Depth
The Three Layers
Visual Sandbox
The AI perceives web pages through a multi-layered model: high-fidelity screenshots, a filtered SecureDOM reader, and targeted in-page DOM search.
How It Works
- Full-page screenshots provide visual context
- Tesseract.js OCR extracts visible text and layout
- SecureDOM Reader (READ_PAGE_CONTENT) extracts text nodes while stripping scripts and hidden trackers
- In-Page DOM Search (SEARCH_DOM) allows targeted queries for specific text without full context exposure
- PII Filtering sanitizes data before it reaches the AI context
Benefits
- Prevents prompt injection via DOM manipulation
- No JavaScript can influence AI behavior
- Hidden elements remain invisible to AI
- Malicious scripts cannot reach the AI layer
Syntactic Firewall
Every command is analyzed for dangerous patterns before execution.
How It Works
- Commands are scanned for shell primitives (rm -rf, sudo, dd)
- Encoded payloads and obfuscation are decoded and checked
- Jailbreak patterns and role-override attempts are blocked
- Network-based attacks (curl to malicious servers) are prevented
Benefits
- Stops known attack patterns at the gate
- Prevents accidental destructive commands
- Provides logging for security audits
- Custom rules can be added by administrators
Blocked Patterns
rm -rfRecursive deletesudo Privilege escalationdd if=Direct disk write:(){ :|:& };:Fork bombeval(base64Encoded payloadcurl.*\| shPipe to shellwget.*\| shDownload & executeMonitored Patterns
rm File deletionchmod 777Permission changekill Process terminationpkillPattern-based killHuman-in-the-Loop
Critical actions require explicit human approval before execution.
How It Works
- AI generates a command with proposed action
- User sees the exact command before execution
- Medium risk: User can approve with keyboard shortcut
- High risk: User must scan QR code with mobile app
- Command only executes after explicit approval
Benefits
- No automated execution of destructive commands
- QR approval ensures physical presence
- Mobile app confirms identity
- User maintains full control at all times
Approval Tiers
Low Risk
Instant / Shift+TabRead-only actions, navigation, volume changes
• Taking screenshots
• Navigating to URLs
• Adjusting volume
Medium Risk
Shift+Tab RequiredActions that modify browser state or open apps
• Filling forms
• Clicking buttons
• Opening applications
High Risk
QR Code + Mobile ApprovalShell commands, external app clicks, system changes
• Shell command execution
• External app automation
• File modifications
Real-World Protection
Threat Scenarios
See how each security layer protects against common attack vectors.
Prompt Injection via Hidden Text
A malicious webpage hides prompt injection instructions in invisible text
Defense
Visual Sandbox prevents the AI from seeing hidden DOM elements. OCR only captures visible, rendered text.
Malicious JavaScript Redirect
A webpage uses JavaScript to redirect the AI to a phishing site
Defense
The AI only sees screenshots of the actual rendered page. JavaScript execution is blocked from the AI's perspective.
Social Engineering via Commands
An attacker tricks the AI into running 'rm -rf /'
Defense
The Syntactic Firewall blocks execution of dangerous shell patterns regardless of how the command is phrased.
Context Injection via Context Switching
A webpage contains instructions that attempt to override AI behavior
Defense
All user-provided content is filtered for injection patterns before reaching the AI context.
Unauthorized Shell Execution
AI autonomously executes a destructive shell command
Defense
Human-in-the-Loop requires explicit approval for all shell commands. High-risk commands require QR approval.
Remote Code Execution
AI is tricked into downloading and running malicious code
Defense
Shell commands requiring downloads are blocked by default. User approval ensures no unauthorized code execution.
Access Control
Permission Levels
Screen Reading
Required for AI to see page content
Shell Execution
Required for terminal commands
App Launching
Required for opening applications
File System Access
Required for PDF generation and downloads
Network Access
Required for web browsing and API calls
Clipboard Access
Required for copy/paste functionality
High-Risk Actions
QR Code Approval
Mobile App Approval
High-risk actions require physical confirmation via the Comet AI mobile app.
Action Triggered
AI attempts high-risk command
QR Displayed
Desktop shows unique QR code
Scan & Verify
Mobile app scans QR
PIN Confirmation
Enter 6-digit verification code
Command Executed
Action proceeds after approval
Security Guarantees
- QR codes expire after 60 seconds
- Each QR code is cryptographically unique
- PIN codes are generated per-session
- Mobile must be paired via secure handshake
- Failed attempts trigger alert notifications
- All approvals are logged with timestamps
Data Protection
E2E Encryption
AES-256-GCM
All sensitive data at rest is encrypted using AES-256-GCM with authenticated encryption.
AES-256-GCMPBKDF2-SHA512100,00012 bytesImplementation
Use Cases
Credential Security
API Key Protection
Key Redaction
API keys are automatically masked in logs and console output
Bearer|token|api[_-]?key|secret→ [REDACTED]Secure Storage
Keys stored in encrypted electron-store with OS keychain integration
Environment Isolation
Keys are never exposed to renderer process without explicit access
Auto-Masking
AI prompts are scrubbed for API keys before processing
sk-... (OpenAI)AIza... (Google)anthropic-... (Anthropic)gsk_... (Groq)Token Generation
Method
crypto.randomUUID()Entropy
256-bitUses
Session tokens, pairing codes, QR verification
Ready to Automate?
Learn how to schedule tasks, set up automations, and integrate with external tools while maintaining security.