THREAT_MODEL
Document Version: 1.0.0 Last Updated: February 2026 Status: Published
This document describes the threat model for CBrowser, a cognitive browser automation tool with constitutional AI safety. It identifies assets, trust boundaries, threat actors, attack vectors, mitigations, and residual risks.
Table of Contents
- System Overview
- Trust Boundaries
- Assets
- Threat Actors
- Attack Vectors & Mitigations
- Residual Risks
- Security Architecture Diagram
System Overview
CBrowser is an AI-powered browser automation tool that exposes browser control via the Model Context Protocol (MCP). It can be used:
- Locally - As a CLI tool or stdio MCP server
- Remotely - As an HTTP MCP server for Claude.ai custom connectors
- Enterprise - With additional stealth and security features
Core Components
| Component | Description | Risk Level |
|---|---|---|
| Browser Engine | Puppeteer-controlled Chromium | High |
| MCP Server | HTTP/SSE server accepting AI commands | High |
| Credential Store | Encrypted storage for site credentials | Critical |
| Session Manager | Browser session persistence | Medium |
| Audit Logger | Immutable action history | Low |
| Constitutional Enforcer | Action classification and blocking | Critical |
Trust Boundaries
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β EXTERNAL (Untrusted) β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
β β AI Model β β User Input β β Web Pages β β
β β (Claude) β β (Prompts) β β (Content) β β
β ββββββββ¬βββββββ ββββββββ¬βββββββ ββββββββ¬βββββββ β
βββββββββββΌβββββββββββββββββΌβββββββββββββββββΌββββββββββββββββββββββββββ
β β β
βΌ βΌ βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β BOUNDARY 1: Authentication β
β (OAuth 2.1 / API Key / HMAC) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β BOUNDARY 2: Rate Limiting β
β (Burst protection, per-session tracking) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β BOUNDARY 3: Constitutional Enforcement β
β (Action Zone Classification) β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β π’ GREEN β π‘ YELLOW β π΄ RED β β¬ BLACK β β
β β Auto-exec β Log+proceed β Verify β Never execute β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β INTERNAL (Protected) β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
β β Browser β β Credentials β β Sessions β β
β β Engine β β (Encrypted)β β (Local) β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Assets
Critical Assets
| Asset | Description | CIA Impact |
|---|---|---|
| Stored Credentials | Site usernames/passwords in encrypted store | C: Critical, I: Critical, A: High |
| Browser Sessions | Authenticated sessions with cookies/tokens | C: Critical, I: High, A: Medium |
| Constitutional Rules | Action classification definitions | C: Low, I: Critical, A: High |
| Audit Logs | Immutable record of all actions | C: Medium, I: Critical, A: Medium |
Sensitive Assets
| Asset | Description | CIA Impact |
|---|---|---|
| API Keys | Server authentication tokens | C: High, I: High, A: High |
| OAuth Tokens | Auth0 JWT tokens | C: High, I: High, A: Medium |
| Signing Secrets | HMAC shared secrets | C: High, I: High, A: Medium |
| Screenshots | Visual captures of pages | C: Medium, I: Low, A: Low |
Threat Actors
1. Malicious Prompt Injector
Profile: External attacker crafting inputs to manipulate the AI into performing unauthorized actions.
Motivation: Data theft, unauthorized transactions, privilege escalation.
Capabilities:
- Craft prompts that trick AI into ignoring safety constraints
- Embed hidden instructions in web page content
- Social engineering through conversation context
2. Compromised AI Model
Profile: The AI model itself, if compromised or hallucinating, acting outside intended boundaries.
Motivation: N/A (emergent behavior, not intentional)
Capabilities:
- Issue any command the MCP protocol allows
- Attempt to bypass constitutional zones
- Chain multiple low-risk actions into high-risk outcomes
3. Network Attacker
Profile: External attacker with network access to the MCP server.
Motivation: Unauthorized access, data exfiltration, DoS.
Capabilities:
- Replay captured requests
- Man-in-the-middle attacks (if TLS misconfigured)
- Brute force authentication
- Resource exhaustion
4. Insider Threat
Profile: Developer or operator with legitimate access to CBrowser infrastructure.
Motivation: Data theft, sabotage, credential harvesting.
Capabilities:
- Access to signing secrets
- Ability to modify constitutional rules
- Direct access to credential store
Attack Vectors & Mitigations
AV-1: Prompt Injection
| Aspect | Details |
|---|---|
| Vector | Malicious content in AI prompts or web pages |
| Target | Constitutional enforcement bypass |
| Impact | Unauthorized actions (purchases, data access) |
| Likelihood | High |
| Mitigations | |
| β Four-zone action classification (GREEN/YELLOW/RED/BLACK) | |
| β Immutable prohibited actions list | |
| β Action-level audit logging | |
| β Zone classification happens in code, not AI | |
| Residual Risk | Novel attack patterns may bypass classification |
AV-2: Credential Theft
| Aspect | Details |
|---|---|
| Vector | Extraction of stored credentials |
| Target | Credential store |
| Impact | Full account compromise |
| Likelihood | Medium |
| Mitigations | |
| β Encrypted credential storage | |
| β Credentials never logged or exposed in output | |
| β No tool exposes raw credentials | |
| β Audit trail for credential usage | |
| Residual Risk | Memory extraction attacks, key compromise |
AV-3: Privilege Escalation via Zone Bypass
| Aspect | Details |
|---|---|
| Vector | Manipulating AI to reclassify actions |
| Target | Constitutional enforcer |
| Impact | BLACK zone actions executed |
| Likelihood | Low |
| Mitigations | |
| β Zone classification in compiled code | |
| β No runtime zone modification API | |
| β AI cannot influence classification | |
| Residual Risk | Code vulnerabilities in enforcer |
AV-4: Replay Attacks
| Aspect | Details |
|---|---|
| Vector | Capturing and resubmitting signed requests |
| Target | Authenticated endpoints |
| Impact | Duplicate action execution |
| Likelihood | Medium |
| Mitigations | |
| β HMAC request signing with timestamp | |
| β 5-minute timestamp window | |
| β Nonce tracking (10-minute TTL) | |
| β Timing-safe signature comparison | |
| Residual Risk | Attacks within 5-minute window |
AV-5: Data Exfiltration
| Aspect | Details |
|---|---|
| Vector | AI commanded to scrape and leak data |
| Target | Sensitive page content |
| Impact | Data breach |
| Likelihood | Medium |
| Mitigations | |
| β Rate limiting with burst protection | |
| β Per-session request tracking | |
| β Audit logging of all reads | |
| β οΈ Domain restrictions (not enforced by default) | |
| Residual Risk | Slow exfiltration over time |
AV-6: Denial of Service
| Aspect | Details |
|---|---|
| Vector | Resource exhaustion attacks |
| Target | MCP server availability |
| Impact | Service unavailable |
| Likelihood | Medium |
| Mitigations | |
| β IP-based rate limiting | |
| β Burst protection | |
| β Whitelist for trusted clients | |
| β Session-based tracking | |
| Residual Risk | Distributed attacks from many IPs |
AV-7: Man-in-the-Middle
| Aspect | Details |
|---|---|
| Vector | Intercepting client-server communication |
| Target | API keys, OAuth tokens, commands |
| Impact | Credential theft, command injection |
| Likelihood | Low (if TLS enforced) |
| Mitigations | |
| β HSTS header (max-age 1 year) | |
| β TLS required for production | |
| β οΈ mTLS support (optional) | |
| Residual Risk | Initial connection before HSTS |
Residual Risks
These risks are acknowledged but not fully mitigated:
| Risk | Description | Acceptance Rationale |
|---|---|---|
| Novel Prompt Injection | New attack patterns not covered by current classification | Zone system provides defense-in-depth; continuous monitoring |
| Memory Extraction | Side-channel attacks extracting secrets | Requires local access; out of scope for remote threat model |
| Sophisticated Chaining | Combining many safe actions into unsafe outcome | Audit logging enables detection; rate limiting slows attacks |
| Zero-Day in Browser | Vulnerabilities in Chromium | Using maintained Playwright; auto-updates |
| Insider Key Compromise | Legitimate user leaks signing secret | Operational security; key rotation procedures |
Security Architecture Diagram
βββββββββββββββββββ
β AI Client β
β (Claude.ai) β
ββββββββββ¬βββββββββ
β
HTTPS + Auth
β
βββββββββββββββββββββββΌββββββββββββββββββββββ
β MCP SERVER β
β ββββββββββββββββββββββββββββββββββββββ β
β β Security Layer β β
β β βββββββββββ βββββββββββ β β
β β β HSTS β β CORS β β β
β β βββββββββββ βββββββββββ β β
β β βββββββββββ βββββββββββ β β
β β β X-Frame β β X-XSS β β β
β β β -Optionsβ β-Protect β β β
β β βββββββββββ βββββββββββ β β
β ββββββββββββββββββββββββββββββββββββββ β
β β β
β βββββββββββββββββββΌβββββββββββββββββββ β
β β Authentication β β
β β ββββββββββββ ββββββββββββ β β
β β βOAuth 2.1 β β API Key β β β
β β ββββββββββββ ββββββββββββ β β
β β ββββββββββββ β β
β β βHMAC Sign β (optional) β β
β β ββββββββββββ β β
β ββββββββββββββββββββββββββββββββββββββ β
β β β
β βββββββββββββββββββΌβββββββββββββββββββ β
β β Rate Limiting β β
β β β’ Per-session tracking β β
β β β’ Burst protection β β
β β β’ IP whitelist β β
β ββββββββββββββββββββββββββββββββββββββ β
β β β
β βββββββββββββββββββΌβββββββββββββββββββ β
β β Constitutional Enforcer β β
β β ββββββββββββββββββββββββββββββββ β β
β β βGREEN ββYELLOWββ RED ββBLACK β β β
β β β Auto ββ Log ββVerifyββBlock β β β
β β ββββββββββββββββββββββββββββββββ β β
β ββββββββββββββββββββββββββββββββββββββ β
β β β
β βββββββββββββββββββΌβββββββββββββββββββ β
β β Browser Engine β β
β β (Puppeteer + Chromium) β β
β ββββββββββββββββββββββββββββββββββββββ β
β β β
β βββββββββββββββββββΌβββββββββββββββββββ β
β β Audit Logger β β
β β (Immutable action history) β β
β ββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββ
Recommendations for Operators
- Always use HTTPS - Never expose the MCP server over plain HTTP
- Enable authentication - Set
MCP_API_KEYor configure Auth0 - Enable rate limiting - Set
RATE_LIMIT_ENABLED=true - Use request signing - Set
MCP_SIGNING_SECRETfor integrity verification - Monitor audit logs - Review
~/.cbrowser/audit/regularly - Rotate credentials - Update API keys and signing secrets periodically
- Restrict network access - Use firewall rules to limit MCP server exposure
Changelog
| Version | Date | Changes |
|---|---|---|
| 1.0.0 | Feb 2026 | Initial threat model |
This threat model is maintained as part of CBrowser's security posture. Report security issues via the process described in SECURITY.md.