I do something similar locally by manually specifying all the things I want scrubbed/replaced and having keyboard maestro run a script on my system keyboard whenever doing a paste operation that's mapped to `hyperkey + v`. The plus side of this is that the paste is instant. The latency introduced by even the littlest of inference is enough friction to make you want to ditch the process entirely.

Another plus of the non-extension solution is that it's application agnostic.

Something like this would greatly increase end user confidence. PII in the input could be highlighted so the user knows what is being hidden from the LLM.

As AI gets better and cheaper there will absolutely be influence campaigns conducted at the individual level for every possible thing anyone with money might want, and those campaigns will be so precisely targeted and calibrated by autonomous influencer AI that know so much about you that they will convince you to do the thing they want, whether by emotional manipulation, subtle blackmail, whatever.

It will also be extraordinarily easy to emit subliminal or unconscious signals that will encode a great deal more of our internal state than we want them to.

It will be necessary to have a 'memetic firewall' that reduces our unintentional outgoing informational cross section, while also preventing contamination by the torrent of ideas trying to worm their way into our heads. This firewall would also need to be autonomous, but by exploiting the inherent information asymmetry (your firewall would know you very well) it need not be as powerful as the AI that are trying to exploit you.

Credentials are injected through a separate secure channel while the agent only sees placeholders like "[PASSWORD]". The AI handles navigation and form detection, but sensitive data flows through an isolated path.

For anyone building AI tools that touch PII: separating the "thinking" layer from the "data" layer is essential. Your LLM should never need to see the actual sensitive values to do its job.

Sure go ahead and roast me but please include full proof method you use to make sure that never happens that still allows you to use credentials for developing applications in the normal way.

Encrypting sensitive data can be more useful than blocking entire requests, as LLMs can reason about that data even without seeing it in plain text.

The ipcrypt-pfx and uricrypt prefix-preserving schemes have been designed for that purpose.

It’s one thing for the ENVs to be user pasted but typically you’re also giving the bots access to your file system to interrogate and understand them right? Does this also block that access for ENVs by detecting them and doing granular permissions?

There's also:

- https://github.com/superagent-ai/superagent

- https://github.com/superagent-ai/vibekit

Also, how does this deal with inquiries when piece of PII is important to the task itself? I assume you just have to turn it off?

There are a lot of websites that scans the clipboard to improve user experience, but also pose a great risk to users privacy.