DEV Community: DemoJacob The latest articles on DEV Community by DemoJacob (@demojacob). https://dev.to/demojacob https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3774535%2Fd6c51d9a-6da0-467c-9690-227af2d4261a.png DEV Community: DemoJacob https://dev.to/demojacob en Your AI Agent Knows Your Passwords — Here's How I Fixed It DemoJacob Mon, 16 Feb 2026 16:10:05 +0000 https://dev.to/demojacob/your-ai-agent-knows-your-passwords-heres-how-i-fixed-it-4kcd https://dev.to/demojacob/your-ai-agent-knows-your-passwords-heres-how-i-fixed-it-4kcd <p>When AI agents automate your browser, they need your login credentials in their context window. That means your passwords are sent to cloud LLM providers, stored in conversation logs, and potentially exposed via prompt injection attacks.</p> <p>I built <a href="https://github.com/DemoJacob/cerberus-keyrouter" rel="noopener noreferrer">Cerberus KeyRouter</a> to fix this.</p> <h2> The Problem </h2> <p>AI agents like OpenClaw, Claude Desktop, and Cursor can automate browsers — filling forms, clicking buttons, navigating pages. But when they hit a login page, the typical flow looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User: "Log into GitHub for me" User: "Email: jacob@example.com" User: "Password: MyS3cretP@ss" Agent: "Logging in..." </code></pre> </div> <p>That password just traveled through:</p> <ol> <li> <strong>The LLM provider's servers</strong> (Anthropic, OpenAI, etc.) — logged, stored, potentially used for training</li> <li> <strong>API proxy services</strong> — if you're using a third-party API relay (common in many regions), your password passes through yet another unknown middleman</li> <li> <strong>Conversation history</strong> — sitting in plain text in your chat logs</li> </ol> <p>And it gets worse. <strong>Prompt injection</strong> is a real attack vector: a malicious webpage can embed hidden instructions that trick the AI into leaking credentials it learned earlier in the conversation.</p> <h2> The Solution: Placeholder Pattern </h2> <p>The core idea is simple:</p> <blockquote> <p>The AI writes the logic using placeholders. Real credentials are substituted locally and injected directly into the browser. The LLM never sees your actual password.</p> </blockquote> <p>Instead of passing real credentials, the AI agent sends instructions like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"vaultItem"</span><span class="p">:</span><span class="w"> </span><span class="s2">"GitHub"</span><span class="p">,</span><span class="w"> </span><span class="nl">"steps"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"fill"</span><span class="p">,</span><span class="w"> </span><span class="nl">"selector"</span><span class="p">:</span><span class="w"> </span><span class="s2">"#login_field"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{{email}}"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"fill"</span><span class="p">,</span><span class="w"> </span><span class="nl">"selector"</span><span class="p">:</span><span class="w"> </span><span class="s2">"#password"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{{password}}"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"click"</span><span class="p">,</span><span class="w"> </span><span class="nl">"selector"</span><span class="p">:</span><span class="w"> </span><span class="s2">"[type=submit]"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Cerberus KeyRouter — an MCP (Model Context Protocol) server running on your machine — intercepts this call, fetches the real credentials from your local Vaultwarden instance, replaces the <code>{{placeholders}}</code>, and executes the actions via Chrome DevTools Protocol (CDP).</p> <p>The AI sees <code>{{password}}</code>. Your browser gets the real password. The LLM never knows the difference.</p> <h2> Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AI Agent (OpenClaw, Claude Desktop, etc.) │ │ MCP call: secure_login("GitHub", steps with {{placeholders}}) │ ▼ Login Router (localhost:8899) ├─ Authenticate via bearer token ├─ Fetch credentials from Vaultwarden ├─ Replace {{placeholders}} with real values ├─ Execute via Chrome CDP (localhost only) ├─ Clear credentials from memory └─ Return { status: "ok" } — no passwords in response Vaultwarden (Docker, localhost:8443) └─ E2E encrypted password storage </code></pre> </div> <p>Everything runs locally. Passwords never leave your machine.</p> <h2> Security Model: Six Layers of Defense </h2> <p><strong>1. Implicit allowlist</strong> — Vaultwarden only stores credentials for sites you've explicitly added. The AI can't log into arbitrary sites.</p> <p><strong>2. URL verification</strong> — Before injecting credentials, the router reads the browser's actual URL via CDP and matches it against the vault entry's URI. Phishing sites get rejected.</p> <p><strong>3. Bearer token auth</strong> — Each Vaultwarden account gets a unique token. No token, no access.</p> <p><strong>4. Rate limiting</strong> — 3 attempts per minute, 20 per hour per vault item. Consecutive failures trigger a cooldown.</p> <p><strong>5. Audit logging</strong> — Every login attempt is recorded (success, failure, rate-limited). Passwords are never logged. View at <code>/audit</code>.</p> <p><strong>6. Human-in-the-loop</strong> — High-risk accounts can require manual approval before each login. 50-second timeout, auto-reject if not approved.</p> <h2> Quick Start </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/DemoJacob/cerberus-keyrouter.git <span class="nb">cd </span>cerberus-keyrouter <span class="nb">cp</span> .env.example .env <span class="c"># Set VW_ADMIN_TOKEN in .env</span> docker compose up <span class="nt">--build</span> <span class="nt">-d</span> </code></pre> </div> <p>This gives you:</p> <ul> <li> <strong>Vaultwarden</strong> at <code>https://localhost:8443</code> — add your passwords here</li> <li> <strong>Login Router</strong> at <code>http://localhost:8899</code> — MCP server + admin panel</li> </ul> <p>Open the admin panel at <code>http://localhost:8899/admin</code>, add your Vaultwarden account, and copy the generated bearer token.</p> <p>Connect your AI agent via MCP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"cerberus"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"baseUrl"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://localhost:8899/mcp"</span><span class="p">,</span><span class="w"> </span><span class="nl">"headers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Authorization"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Bearer &lt;your-token&gt;"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Done. Your agent can now log into any site in your vault — without knowing a single password.</p> <h2> fill vs type </h2> <p>Most sites work with <code>fill</code> (sets value + dispatches events). React/SPA sites with controlled components may need <code>type</code> (key-by-key input with 50ms delay). Try <code>fill</code> first, switch to <code>type</code> if the form doesn't submit properly.</p> <h2> Multi-Step Login </h2> <p>Banks and other sites often split login across multiple pages. Handle this with separate calls:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">Step</span><span class="w"> </span><span class="mi">1</span><span class="err">:</span><span class="w"> </span><span class="err">username</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="err">next</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"vaultItem"</span><span class="p">:</span><span class="w"> </span><span class="s2">"MyBank"</span><span class="p">,</span><span class="w"> </span><span class="nl">"steps"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"type"</span><span class="p">,</span><span class="w"> </span><span class="nl">"selector"</span><span class="p">:</span><span class="w"> </span><span class="s2">"#username"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{{username}}"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"click"</span><span class="p">,</span><span class="w"> </span><span class="nl">"selector"</span><span class="p">:</span><span class="w"> </span><span class="s2">"#next"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"wait"</span><span class="p">,</span><span class="w"> </span><span class="nl">"selector"</span><span class="p">:</span><span class="w"> </span><span class="s2">"input[type=password]"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]}</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Step</span><span class="w"> </span><span class="mi">2</span><span class="err">:</span><span class="w"> </span><span class="err">password</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="err">submit</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"vaultItem"</span><span class="p">:</span><span class="w"> </span><span class="s2">"MyBank"</span><span class="p">,</span><span class="w"> </span><span class="nl">"steps"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"type"</span><span class="p">,</span><span class="w"> </span><span class="nl">"selector"</span><span class="p">:</span><span class="w"> </span><span class="s2">"#password"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{{password}}"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"click"</span><span class="p">,</span><span class="w"> </span><span class="nl">"selector"</span><span class="p">:</span><span class="w"> </span><span class="s2">"#login"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]}</span><span class="w"> </span></code></pre> </div> <h2> Real-World Usage </h2> <p>I've been running this with OpenClaw for daily tasks. Here's an actual example — my AI agent querying order history on zooplus.de, logged in via Cerberus:</p> <p>The agent reports: <em>"I didn't touch any plaintext passwords. I only passed the placeholders {{email}} and {{password}}. Cerberus fetched the credentials from your local Vaultwarden vault and filled them directly into the browser."</em></p> <p>No password in the LLM context. No password in the logs. No password leaving my machine.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyqjqzqfk55l0ugde9id3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyqjqzqfk55l0ugde9id3.png" alt=" " width="528" height="365"></a></p> <h2> Technical Stack </h2> <ul> <li> <strong>TypeScript / Node.js</strong> — login router</li> <li> <strong>Playwright-core</strong> — CDP browser automation</li> <li> <strong>Vaultwarden</strong> — self-hosted Bitwarden (password storage)</li> <li> <strong>MCP Protocol</strong> — Streamable HTTP transport</li> <li> <strong>SQLite</strong> — config + audit log storage</li> <li> <strong>AES-256-GCM</strong> — stored master password encryption</li> <li> <strong>Docker Compose</strong> — one-command deployment</li> </ul> <h2> What's Next </h2> <ul> <li>Cookie caching (login once, reuse sessions)</li> <li>Support for OpenClaw snapshot ref IDs (alongside CSS selectors)</li> <li>Multi-agent framework support</li> <li>SaaS version with zero-knowledge E2E encrypted backend</li> </ul> <h2> Try It </h2> <p>The project is open source under AGPL-3.0:</p> <p><strong>GitHub: <a href="https://github.com/DemoJacob/cerberus-keyrouter" rel="noopener noreferrer">github.com/DemoJacob/cerberus-keyrouter</a></strong></p> <p>Works on macOS and Linux. Docker + Chrome + any MCP-compatible AI agent.</p> <p>Feedback, issues, and stars are all welcome. If you're building AI agents that need to handle authentication, I'd love to hear about your use case.</p> security opensource ai openclaw