Comet AI
Download
Security Model

Triple-Lock Security

Comet AI implements a defense-in-depth approach with three independent security layers. Even if one layer is compromised, the others provide protection.

3

Security Layers

0

Unprotected Actions

100%

Human Approval Rate

Defense in Depth

The Three Layers

1

Visual Sandbox

The AI perceives web pages only through screenshots and OCR, never raw HTML or JavaScript.

How It Works

  • Browser content is captured as screenshots
  • Tesseract.js OCR extracts visible text
  • AI receives sanitized text descriptions only
  • No access to DOM, cookies, localStorage, or JavaScript state

Benefits

  • Prevents prompt injection via DOM manipulation
  • No JavaScript can influence AI behavior
  • Hidden elements remain invisible to AI
  • Malicious scripts cannot reach the AI layer
2

Syntactic Firewall

Every command is analyzed for dangerous patterns before execution.

How It Works

  • Commands are scanned for shell primitives (rm -rf, sudo, dd)
  • Encoded payloads and obfuscation are decoded and checked
  • Jailbreak patterns and role-override attempts are blocked
  • Network-based attacks (curl to malicious servers) are prevented

Benefits

  • Stops known attack patterns at the gate
  • Prevents accidental destructive commands
  • Provides logging for security audits
  • Custom rules can be added by administrators
Blocked Patterns
rm -rfRecursive delete
sudo Privilege escalation
dd if=Direct disk write
:(){ :|:& };:Fork bomb
eval(base64Encoded payload
curl.*\| shPipe to shell
wget.*\| shDownload & execute
Monitored Patterns
rm File deletion
chmod 777Permission change
kill Process termination
pkillPattern-based kill
3

Human-in-the-Loop

Critical actions require explicit human approval before execution.

How It Works

  • AI generates a command with proposed action
  • User sees the exact command before execution
  • Medium risk: User can approve with keyboard shortcut
  • High risk: User must scan QR code with mobile app
  • Command only executes after explicit approval

Benefits

  • No automated execution of destructive commands
  • QR approval ensures physical presence
  • Mobile app confirms identity
  • User maintains full control at all times

Approval Tiers

Low Risk
Instant / Shift+Tab

Read-only actions, navigation, volume changes

Taking screenshots

Navigating to URLs

Adjusting volume

Medium Risk
Shift+Tab Required

Actions that modify browser state or open apps

Filling forms

Clicking buttons

Opening applications

High Risk
QR Code + Mobile Approval

Shell commands, external app clicks, system changes

Shell command execution

External app automation

File modifications

Real-World Protection

Threat Scenarios

See how each security layer protects against common attack vectors.

Prompt Injection via Hidden Text

A malicious webpage hides prompt injection instructions in invisible text

Defense

Visual Sandbox prevents the AI from seeing hidden DOM elements. OCR only captures visible, rendered text.

Visual Sandbox

Malicious JavaScript Redirect

A webpage uses JavaScript to redirect the AI to a phishing site

Defense

The AI only sees screenshots of the actual rendered page. JavaScript execution is blocked from the AI's perspective.

Visual Sandbox

Social Engineering via Commands

An attacker tricks the AI into running 'rm -rf /'

Defense

The Syntactic Firewall blocks execution of dangerous shell patterns regardless of how the command is phrased.

Syntactic Firewall

Context Injection via Context Switching

A webpage contains instructions that attempt to override AI behavior

Defense

All user-provided content is filtered for injection patterns before reaching the AI context.

Syntactic Firewall

Unauthorized Shell Execution

AI autonomously executes a destructive shell command

Defense

Human-in-the-Loop requires explicit approval for all shell commands. High-risk commands require QR approval.

HITL

Remote Code Execution

AI is tricked into downloading and running malicious code

Defense

Shell commands requiring downloads are blocked by default. User approval ensures no unauthorized code execution.

HITL + Firewall

Access Control

Permission Levels

Screen Reading

Required for AI to see page content

Required

Shell Execution

Required for terminal commands

High Risk

App Launching

Required for opening applications

Medium Risk

File System Access

Required for PDF generation and downloads

Required

Network Access

Required for web browsing and API calls

Required

Clipboard Access

Required for copy/paste functionality

Medium Risk

High-Risk Actions

QR Code Approval

Mobile App Approval

High-risk actions require physical confirmation via the Comet AI mobile app.

1
Action Triggered

AI attempts high-risk command

2
QR Displayed

Desktop shows unique QR code

3
Scan & Verify

Mobile app scans QR

4
PIN Confirmation

Enter 6-digit verification code

5
Command Executed

Action proceeds after approval

Security Guarantees

  • QR codes expire after 60 seconds
  • Each QR code is cryptographically unique
  • PIN codes are generated per-session
  • Mobile must be paired via secure handshake
  • Failed attempts trigger alert notifications
  • All approvals are logged with timestamps

Ready to Automate?

Learn how to schedule tasks, set up automations, and integrate with external tools while maintaining security.

Automation Guide AI Commands
Edit on GitHub