Agent Daily Sources +3

Web Fetch Is Emerging as a Security Boundary for AI Agents

A year ago, “web fetch” in an agent might have meant little more than “grab the page and hand the text to the model.” Recent code in OpenClaw, Gemini CLI, and Crush suggests that era is ending. In these projects, the web tool is starting to look like a trust boundary: part scraper, part sanitizer, part permission system, part anti-SSRF guard.

repo openai/codex main
3 source signals 4 repos 5bd5503
> 5bd5503 / March 26, 2026 / Agent Daily

The easy metaphor is that agent builders are adding seatbelts to browsing.

That matters because the web is not just a knowledge source for agents. It is also one of the cleanest delivery mechanisms for prompt injection, hidden instructions, poisoned redirects, and internal-network probing. Once an agent can fetch pages and act on what it reads, “just fetch it” stops being a harmless feature request.

The pattern is bigger than better scraping: in these repos, web access is becoming a capability with explicit controls around what gets fetched, exposed, and trusted.

OpenClaw hardens extraction against hidden content

OpenClaw shows the clearest “web fetch as security perimeter” shift in raw code. In src/agents/tools/web-fetch.ts, the tool validates that URLs are http or https, calls assertPublicHostname(...) before making requests, and manually follows redirects with explicit loop and redirect-count checks. That is already a different posture from naïve fetch wrappers that trust the platform defaults.

The more revealing move sits in src/agents/tools/web-fetch-visibility.ts. OpenClaw now strips HTML comments, removes hidden DOM nodes, and filters out content hidden through tricks like display:none, visibility:hidden, aria-hidden, hidden, sr-only classes, offscreen positioning, and zero-size overflow hacks. It also strips invisible Unicode characters often used to smuggle instructions into model-visible text.

That is not ordinary extraction polish. It is a direct acknowledgement that pages shown to humans and pages ingested by models are not the same thing. A hidden span is a design detail for a browser, but it can become a control channel for an agent.

Then there is the fallback story. In src/agents/tools/web-tools.ts, OpenClaw prefers Mozilla Readability for extraction, but can fall back to Firecrawl when Readability fails or when the page needs a more robust extraction path. The response payload tracks which extractor won. The same tool is now balancing content quality, resilience, and security posture in one place.

Gemini CLI adds network policy and approvals to fetch

Gemini CLI is converging on the same destination from a slightly different angle. In packages/core/src/utils/fetch.ts, its safeLookup() path performs connection-level DNS filtering, blocks private and reserved address ranges, and builds a dedicated dispatcher so protection happens at the networking layer, not merely in string validation. That is the sort of networking-layer control you add when SSRF is part of the threat model.

Its packages/core/src/tools/web-fetch.ts goes further by making the tool itself more policy-aware. The code rate-limits requests per host, normalizes URLs, rewrites GitHub blob URLs to raw content URLs, sanitizes content for XML embedding, limits body size while streaming, and blocks direct fetches to private hosts in experimental mode.

Even more interesting is the UX around trust. The same tool builds explicit confirmation details for the URLs it is about to fetch, and a recent patch enables persistent approval behavior for web_fetch. That suggests the team is treating web fetch as a user-governed capability, not just a backend call.

Gemini turns fetch into a managed capability, with approval, normalization, limits, and network-aware policy.

Crush wraps fetch in a scoped analysis workflow

Crush adds a useful third signal because it pushes the pattern toward workflow design. In internal/agent/agentic_fetch_tool.go, the new agentic_fetch flow first requests permission, then fetches the target page, then spins up a focused sub-agent armed with web_fetch, glob, grep, and view to analyze what came back.

Fetching is no longer a one-shot utility call. It becomes a scoped investigation with its own tools and session lifecycle.

The implementation in internal/agent/tools/web_fetch.go makes the same point pragmatically: when a page is large, Crush saves it to a temp file and tells the agent to inspect it with view and grep instead of flooding the model context directly. That is both an ergonomics choice and a containment choice.

Then internal/agent/tools/search.go adds a search mode around the workflow, parsing DuckDuckGo HTML results and turning web discovery into the front end of the fetch-analysis loop. Crush is wrapping retrieval, inspection, and search into a permissioned workflow.

Why this is happening now

The broader web context helps explain the timing. OWASP’s LLM Prompt Injection Prevention Cheat Sheet explicitly calls out indirect prompt injection through web pages, hidden text, code comments, and other fetched content. That is almost a checklist of the risks these repos are now coding around.

At the same time, products like Firecrawl are thriving precisely because “turn any URL into clean data” has become its own infrastructure problem, with proxies, caching, dynamic rendering, and extraction quality sold as features. And projects like browser-use are normalizing the idea that agents should be able to operate directly on the web, not just answer questions about it.

Put those together and the pressure becomes obvious. If web access is becoming a default agent capability, then safe and legible web access has to become a default engineering problem.

The broader pattern: the fetch tool is becoming a trust stack

OpenClaw hardens redirects, strips hidden prompt-injection surfaces, and blends Readability with Firecrawl. Gemini CLI pushes SSRF protection down into DNS resolution while layering approvals, host rate limits, URL normalization, and size controls on top. Crush wraps fetch in permissions and turns the result into a delegated analysis session.

Different architectures, same direction: the web tool is no longer just a text pipe into the model. It is becoming a stack of decisions about what to fetch, how to extract it, what to hide from the model, which hosts to trust, when to ask permission, and how much context to expose.

That is a meaningful shift in agent design. We often talk about models getting smarter. But this week’s code shows another truth: agents are getting more suspicious. And honestly, they should.

The takeaway is simple: in modern agent systems, web access is starting to look less like a convenience feature and more like a security-sensitive runtime capability. The interesting change is not just that agents can fetch the web; it’s that serious implementations are beginning to treat the fetch path as something that must be constrained, sanitized, and audited. If you’re building one, show the boundary in code — and invite others to inspect it.

Letters & Corrections

Send a note to the desk

Corrections, missing context, or a follow-up lead.