Very neat, but recently I've tried my best to reduce my extension usage across all apps (browsers/ide).
I do something similar locally by manually specifying all the things I want scrubbed/replaced and having keyboard maestro run a script on my system keyboard whenever doing a paste operation that's mapped to `hyperkey + v`. The plus side of this is that the paste is instant. The latency introduced by even the littlest of inference is enough friction to make you want to ditch the process entirely.
Another plus of the non-extension solution is that it's application agnostic.
That's a great idea. My original excuse to not do that was because I copy so many things but, duh, I could just key the sanitizing copy to `hyperkey + c`.
Multiple things: 1) extensions are overly permissive, 2) so many of them are sold to shady entities without peep from the developer, and 3) it's never been easier to generate my own tooling.
I just download the extension file, check it out, and install it locally. No worries about future updates until something breaks (doesn't tend to happen).
fair enough. I'll add that one fantastic use I've found for LLMs is quickly checking the source of a given addon (though obviously this is no replacement for a real audit or finely-grained permissions).
I'd be doing this type of thing a lot more if browsers didn't make it difficult to load unpacked addons (in which case I could be modifying things I didn't like on the fly).
This should be a native feature of the native chat apps for all major LLM providers. There’s no reason why PII can’t be masked from the API endpoint and then replaced again when the LLM responds. “Mary Smith” becomes “Samantha Robertson” and then back to “Mary Smith” on responses from the LLM. A small local model (such as the BERT model in this project) detects the PII.
Something like this would greatly increase end user confidence. PII in the input could be highlighted so the user knows what is being hidden from the LLM.
so what happens if you are running an agent locally and it helpfully tries to write a script that prints the environment variables, for debugging purposes?
This is a great approach. We took a similar philosophy building password automation - the AI agent never sees actual passwords.
Credentials are injected through a separate secure channel while the agent only sees placeholders like "[PASSWORD]". The AI handles navigation and form detection, but sensitive data flows through an isolated path.
For anyone building AI tools that touch PII: separating the "thinking" layer from the "data" layer is essential. Your LLM should never need to see the actual sensitive values to do its job.
Any plans to make the extension perform a replacement of whatever’s flagged with dummy data? Knowing I have sensitive data is usually not a problem, but constantly needing to replace or remove it is, particularly with larger token counts
I've had a similar thoughts! I just put together a document with four sections (original, sanitized, output, unsantized) and built a little command-line tool to automatically filter and copy content between them. For now, my tool uses simple regex and specific keywords, but I really like the approach you're taking!! This is definitely an interesting problem that needs a good solution. I'm excited to see your WASM implementation!
Ok what I would really love is something like this but for the damn terminal. No, I don't store credentials in plaintext, but when they get pulled into memory after being decrypted you really gotta watch $TERMINAL_AGENT or it WILL read your creds eventually and it's ever so much fun explaining why you need to rotate a key.
Sure go ahead and roast me but please include full proof method you use to make sure that never happens that still allows you to use credentials for developing applications in the normal way.
I've used it, lots of false positives out of the box, you need to do a ton of tuning or put a transformer/BERT model with it, but then at that point it's basically the same thing as the OP's project.
How do you prevent these models from reading secrets in your repos locally?
It’s one thing for the ENVs to be user pasted but typically you’re also giving the bots access to your file system to interrogate and understand them right? Does this also block that access for ENVs by detecting them and doing granular permissions?
this prevents claude from directly reading certain files, but doesn't prevent claude from running a command that dumps the file on stdout and then reading stdout... claude will just try to "cat" the file if it decides it wants to see it.
by putting secrets in your environment instead of in your files, and running AI tools in a dedicated environment that has its own set of limited and revocable secrets.
Yes - separate secrets always - but you've still got local or dev secrets. Seems like the above permissions are the right way to go in the end. Thanks.
This is pretty cool. I barely use the web UIs for LLMs anymore. Any way you could make a wrapper for Claude Code/Cursor/Gemini CLI? Ideally it works like github push protection in GH advanced security.
This is a great idea of using a BERT model for DLP at the door. Have you thought integrating this into semantic router as an option leaving the look-ahead ? Maybe a smaller code base ?
Deploy a TLS interceptor (forward proxy). There are many out there, both free and paid for solutions; there are also agent-based endpoint solutions like Netskope which do this so you don't have to route traffic through an internal device.
I feel it's not really applicable here. Pihole has the advantage of funneling all DNS traffic (typically UDP/53) to a single endpoint and making decisions about the request.
A user using an LLM is probably talking directly to the service inside a TLS connection (TCP/443) so there's not a lot of room to inspect the prompt at the same layer a Pihole might (unless you MITM yourself).
I think OP has the right idea to approach this from the application layer in the browser where the contents of the page are available. But to me it feels like a stopgap, something that fixes a specific scenario (copy/pasted private data into a web browser form), and not a proper service-level solution some have proposed (swap PII at the endpoint, or have a client that pre-filters).
This is a concept that I firmly believe will be a fundamental feature of the medium-term future. Personal memetic firewalls.
As AI gets better and cheaper there will absolutely be influence campaigns conducted at the individual level for every possible thing anyone with money might want, and those campaigns will be so precisely targeted and calibrated by autonomous influencer AI that know so much about you that they will convince you to do the thing they want, whether by emotional manipulation, subtle blackmail, whatever.
It will also be extraordinarily easy to emit subliminal or unconscious signals that will encode a great deal more of our internal state than we want them to.
It will be necessary to have a 'memetic firewall' that reduces our unintentional outgoing informational cross section, while also preventing contamination by the torrent of ideas trying to worm their way into our heads. This firewall would also need to be autonomous, but by exploiting the inherent information asymmetry (your firewall would know you very well) it need not be as powerful as the AI that are trying to exploit you.
can i have this between my machine and git please.. Like its twice now I've commmited .env* and totally passed me by (usually because its to a private repo..) then later on we/someone clears down the files.. and forgets to rewrite git history before pushing live.. it should never have got there in the first place.. (I wish github did a scan before making a repo public..)
Already mentioned it in another reply, but .env and passing secrets as environment variables are a tragedy. Take a look at how SecureStore stores secrets encrypted at rest, and you’re even advised to commit them to git!
GitHub does warn you when you have API keys in your repo. Alternatively, there are CLI tools such as TruffleHog you can put in pre-commit hooks to run before commits automatically
Very neat, but recently I've tried my best to reduce my extension usage across all apps (browsers/ide).
I do something similar locally by manually specifying all the things I want scrubbed/replaced and having keyboard maestro run a script on my system keyboard whenever doing a paste operation that's mapped to `hyperkey + v`. The plus side of this is that the paste is instant. The latency introduced by even the littlest of inference is enough friction to make you want to ditch the process entirely.
Another plus of the non-extension solution is that it's application agnostic.
Smart idea! Thanks for sharing.
If we move the detection and modification process from paste to copy operation, that will reduce in-use latency
That's a great idea. My original excuse to not do that was because I copy so many things but, duh, I could just key the sanitizing copy to `hyperkey + c`.
out of curiosity, what's the motivation behind trying to reduce your extension usage everywhere?
Multiple things: 1) extensions are overly permissive, 2) so many of them are sold to shady entities without peep from the developer, and 3) it's never been easier to generate my own tooling.
brutal. I just typed out a much longer response and lost it when my time wasting extension saw the url change (time for a text area cache extension?)
you might find this useful: https://github.com/classvsoftware/under-new-management
my port (and now fork): https://github.com/maxtheaxe/under-new-management-firefox
they currently (PRs are welcome!) only check listing info. mine doesn't route requests through an external (non addon store) server.
a couple PRs are overdue on mine due to linting making the diffs impossible. I'll get to it. (see the wxt-migration branch)
I just download the extension file, check it out, and install it locally. No worries about future updates until something breaks (doesn't tend to happen).
at least on firefox, you can also just disallow automatic updates
I want to see the source, and I don't want to worry about future browser changes messing with my settings..
fair enough. I'll add that one fantastic use I've found for LLMs is quickly checking the source of a given addon (though obviously this is no replacement for a real audit or finely-grained permissions).
I'd be doing this type of thing a lot more if browsers didn't make it difficult to load unpacked addons (in which case I could be modifying things I didn't like on the fly).
This should be a native feature of the native chat apps for all major LLM providers. There’s no reason why PII can’t be masked from the API endpoint and then replaced again when the LLM responds. “Mary Smith” becomes “Samantha Robertson” and then back to “Mary Smith” on responses from the LLM. A small local model (such as the BERT model in this project) detects the PII.
Something like this would greatly increase end user confidence. PII in the input could be highlighted so the user knows what is being hidden from the LLM.
Maybe you should fix your logging to not output secrets in plaintext? Every single modern logging utility has this ability.
so what happens if you are running an agent locally and it helpfully tries to write a script that prints the environment variables, for debugging purposes?
You run your agent in a container and you only give it access to agent-specific secrets that can be rotated easily.
This is a great approach. We took a similar philosophy building password automation - the AI agent never sees actual passwords.
Credentials are injected through a separate secure channel while the agent only sees placeholders like "[PASSWORD]". The AI handles navigation and form detection, but sensitive data flows through an isolated path.
For anyone building AI tools that touch PII: separating the "thinking" layer from the "data" layer is essential. Your LLM should never need to see the actual sensitive values to do its job.
Any plans to make the extension perform a replacement of whatever’s flagged with dummy data? Knowing I have sensitive data is usually not a problem, but constantly needing to replace or remove it is, particularly with larger token counts
I've had a similar thoughts! I just put together a document with four sections (original, sanitized, output, unsantized) and built a little command-line tool to automatically filter and copy content between them. For now, my tool uses simple regex and specific keywords, but I really like the approach you're taking!! This is definitely an interesting problem that needs a good solution. I'm excited to see your WASM implementation!
Ok what I would really love is something like this but for the damn terminal. No, I don't store credentials in plaintext, but when they get pulled into memory after being decrypted you really gotta watch $TERMINAL_AGENT or it WILL read your creds eventually and it's ever so much fun explaining why you need to rotate a key.
Sure go ahead and roast me but please include full proof method you use to make sure that never happens that still allows you to use credentials for developing applications in the normal way.
If you store passwords encrypted at rest à la my SecureStore, this isn’t an issue.
https://github.com/neosmart/securestore-rs
I wonder if this would have been useful https://github.com/microsoft/presidio - its heavy but looks really good. There is a lite version..
I've used it, lots of false positives out of the box, you need to do a ton of tuning or put a transformer/BERT model with it, but then at that point it's basically the same thing as the OP's project.
Looks like it uses Googles Langextract, which uses only LLMs for NLP, while OP is using a small NER model that runs locally.
full of false positives though. but definitely good for some types of entities and regexes
Neat!
There's also:
- https://github.com/superagent-ai/superagent
- https://github.com/superagent-ai/vibekit
How do you prevent these models from reading secrets in your repos locally?
It’s one thing for the ENVs to be user pasted but typically you’re also giving the bots access to your file system to interrogate and understand them right? Does this also block that access for ENVs by detecting them and doing granular permissions?
I configure permission settings within projects.
https://code.claude.com/docs/en/settings#permission-settings
Ah yes - this is the way. Thanks.
this prevents claude from directly reading certain files, but doesn't prevent claude from running a command that dumps the file on stdout and then reading stdout... claude will just try to "cat" the file if it decides it wants to see it.
Yeah - that’s kinda what I was thinking. Unless you’re doing quite granular approvals it gets tricky.
by putting secrets in your environment instead of in your files, and running AI tools in a dedicated environment that has its own set of limited and revocable secrets.
Yes - separate secrets always - but you've still got local or dev secrets. Seems like the above permissions are the right way to go in the end. Thanks.
Neat - I built something similar - https://github.com/deepanwadhwa/zink?tab=readme-ov-file#3-sh...
Curious about how much latency this adds (per input token)? Obviously depends on your computer, but it's it ~10s or ~1s?
Also, how does this deal with inquiries when piece of PII is important to the task itself? I assume you just have to turn it off?
This is pretty cool. I barely use the web UIs for LLMs anymore. Any way you could make a wrapper for Claude Code/Cursor/Gemini CLI? Ideally it works like github push protection in GH advanced security.
This is a great idea of using a BERT model for DLP at the door. Have you thought integrating this into semantic router as an option leaving the look-ahead ? Maybe a smaller code base ?
It wasn’t very clear in the video, does it trigger on paste event or when the page is activated?
There are a lot of websites that scans the clipboard to improve user experience, but also pose a great risk to users privacy.
Could this run at the network level (like TripMode)? So it would catch usage from web based apps but also the ChatGPT app, Codex CLI etc?
Deploy a TLS interceptor (forward proxy). There are many out there, both free and paid for solutions; there are also agent-based endpoint solutions like Netskope which do this so you don't have to route traffic through an internal device.
That would be a great way to get some revenue from "enterprise" customers!
Anything like this for Claude Code/calls to OpenRouter?
I'd like to see this as a Windsurf plugin.
Develop a pihole style adblock
I feel it's not really applicable here. Pihole has the advantage of funneling all DNS traffic (typically UDP/53) to a single endpoint and making decisions about the request.
A user using an LLM is probably talking directly to the service inside a TLS connection (TCP/443) so there's not a lot of room to inspect the prompt at the same layer a Pihole might (unless you MITM yourself).
I think OP has the right idea to approach this from the application layer in the browser where the contents of the page are available. But to me it feels like a stopgap, something that fixes a specific scenario (copy/pasted private data into a web browser form), and not a proper service-level solution some have proposed (swap PII at the endpoint, or have a client that pre-filters).
Really good idea!
This is a concept that I firmly believe will be a fundamental feature of the medium-term future. Personal memetic firewalls.
As AI gets better and cheaper there will absolutely be influence campaigns conducted at the individual level for every possible thing anyone with money might want, and those campaigns will be so precisely targeted and calibrated by autonomous influencer AI that know so much about you that they will convince you to do the thing they want, whether by emotional manipulation, subtle blackmail, whatever.
It will also be extraordinarily easy to emit subliminal or unconscious signals that will encode a great deal more of our internal state than we want them to.
It will be necessary to have a 'memetic firewall' that reduces our unintentional outgoing informational cross section, while also preventing contamination by the torrent of ideas trying to worm their way into our heads. This firewall would also need to be autonomous, but by exploiting the inherent information asymmetry (your firewall would know you very well) it need not be as powerful as the AI that are trying to exploit you.
LLMs don't need your secret tokens (but MCP servers hand them over anyway): https://00f.net/2025/06/16/leaky-mcp-servers/
Encrypting sensitive data can be more useful than blocking entire requests, as LLMs can reason about that data even without seeing it in plain text.
The ipcrypt-pfx and uricrypt prefix-preserving schemes have been designed for that purpose.
can i have this between my machine and git please.. Like its twice now I've commmited .env* and totally passed me by (usually because its to a private repo..) then later on we/someone clears down the files.. and forgets to rewrite git history before pushing live.. it should never have got there in the first place.. (I wish github did a scan before making a repo public..)
Already mentioned it in another reply, but .env and passing secrets as environment variables are a tragedy. Take a look at how SecureStore stores secrets encrypted at rest, and you’re even advised to commit them to git!
https://github.com/neosmart/securestore-rs
GitHub does warn you when you have API keys in your repo. Alternatively, there are CLI tools such as TruffleHog you can put in pre-commit hooks to run before commits automatically
You can try GitGuardian, it is very powerful and free for individual developers and small teams. It has precommit hooks, detection in IDE and all.
You can use git hooks. Pre-commit specifically.
https://git-scm.com/docs/githooks
At least you can put .env in the global gitignore. I haven’t committed DS_Store in 15 years because of it - its secrets will die with me.
sorry.. global gitignore.. what have i been doing..
aside from already mentioned hooks you can add global .gitignore for .env files