Zenity Labs just published one of the most consequential AI agent security disclosures yet. Their “PleaseFix” vulnerability family demonstrates how agentic browsers — AI agents that browse the web and use tools on your behalf — can be silently hijacked through something as mundane as a calendar invite.
The specific findings target Perplexity’s Comet browser, but the attack pattern applies broadly to any AI agent with tool access and authenticated sessions. Including OpenClaw.
What PleaseFix Is
PleaseFix is a family of vulnerabilities that exploit a fundamental flaw in how agentic systems handle trust. The subfamily “PerplexedBrowser” targets Perplexity Comet specifically, but the underlying problem is architectural.
The core issue: agentic browsers can’t reliably distinguish between legitimate user intent and attacker-planted instructions embedded in content they process.
This isn’t prompt injection in the “type something malicious into the chatbox” sense. It’s indirect prompt injection — hiding instructions in content the agent encounters during routine tasks.
The Attacks
Exploit 1: Zero-Click File Exfiltration
A malicious calendar invite contains hidden instructions. When you ask Comet to process it — “summarize this meeting invite,” “accept and add to calendar” — the embedded payload triggers the agent to:
- Navigate to local file paths using
file://URLs - Read sensitive documents (anything named “passwords,” “credentials,” SSH keys, environment files)
- Exfiltrate file contents to an attacker-controlled server
- Return a perfectly normal response about the calendar invite
No clicks. No warnings. No indication anything happened. The agent does exactly what you asked (processes the invite) while simultaneously executing the hidden attack.
Exploit 2: Password Manager Takeover
This one is worse. The attack manipulates the agent’s interaction with 1Password’s Web Vault — not by exploiting 1Password itself, but by abusing the agent’s authenticated browser session:
- The agent navigates to the 1Password Web Vault (already authenticated via Comet’s session)
- Browses vault entries and extracts usernames and passwords
- In the escalated scenario: changes the master password to an attacker-controlled value
- Extracts recovery material (email address, Secret Key) for full account takeover
The attacker never touches 1Password directly. They don’t need to. They control the agent, and the agent has the user’s access.
Why This Matters for OpenClaw Users
OpenClaw doesn’t have an integrated browser agent like Comet, but the trust boundary problem is identical. Consider:
- Skills that process external content — any skill that reads emails, parses web pages, or processes documents from untrusted sources faces the same injection vector
- MCP servers with tool access — if an MCP server can read files, make API calls, or interact with authenticated services, a compromised input can chain those capabilities
- Browser automation — OpenClaw users who connect browser tools face directly analogous risks
The pattern is always the same: attacker controls content → agent processes content → hidden instructions execute with the agent’s permissions.
What Perplexity and 1Password Did
Both companies responded through responsible disclosure:
Perplexity blocked file:// access at the code level (treating the agent as untrusted for local file operations), added user confirmation dialogs for sensitive actions, and provided enterprise controls to disable the agent on designated sites. A second fix landed in February 2026 after researchers found a view-source:file:/// workaround.
1Password added options to disable automatic sign-in and require explicit confirmation before autofilling credentials. Their advisory confirmed the root cause sits in the browser execution model, not in 1Password.
Protecting Your OpenClaw Setup
The PleaseFix pattern maps directly to OpenClaw security principles:
1. Treat Agent Inputs as Untrusted
Never assume content an agent processes is benign. Emails, calendar invites, web pages, documents — any external data can carry injection payloads.
# In your OpenClaw config, restrict what skills can access
security:
fileAccess: restricted # Don't give broad filesystem access
allowedPaths:
- ./workspace
- ./memory2. Minimize Agent Permissions
The 1Password exploit worked because the agent had access to everything the user did. Apply least privilege:
- Don’t give agents access to password managers or credential stores
- Limit browser sessions to isolated profiles without saved passwords
- Use separate browser profiles for agent automation vs. personal browsing
3. Require Confirmation for Sensitive Actions
OpenClaw’s safety model already supports confirmation prompts. Use them:
- File operations outside the workspace → confirm
- Any action that sends data to external endpoints → confirm
- Credential or authentication-related actions → always confirm
4. Watch for the Pattern
The PleaseFix attack chain is: routine task → hidden instruction → sensitive action → exfiltration. If your agent setup allows all four steps without interruption, you’re vulnerable.
The Bigger Picture
Zenity Labs calls PleaseFix an “inherent vulnerability in agentic systems” rather than an isolated bug. They’re right. As AI agents gain more capabilities — browsing, file access, API calls, payment authorization — the attack surface grows proportionally.
The ClawJacked disclosure we covered last week showed the same pattern from a different angle. So did the Claude Code MCP vulnerabilities. The thread connecting all of them: agents inherit user trust, and that trust can be redirected.
Every new integration, every new tool, every new permission you grant your agent is a potential link in an attack chain. The defense isn’t to avoid agents — it’s to architect agent systems with the assumption that any input could be adversarial.
PleaseFix is patched. The pattern isn’t going anywhere.
For more on agent security attack patterns, read about ClawJacked, Claude Code MCP supply chain attacks, and the Agents of Chaos red team study. For defensive configuration, see our guardrails guide.
PleaseFix was responsibly disclosed by Zenity Labs. Perplexity and 1Password both issued patches. If you’re running Perplexity Comet, update to the latest version.