Home
Softono
pie-ai-agent

pie-ai-agent

Open source Apache-2.0 TypeScript
Website GitHub
17
Stars
2
Forks
10
Issues
0
Watchers
1 week
Last Commit
AI Agents Browser Automation

About pie-ai-agent

Browser-automation agent for Chrome — natural-language tasks executed through native tool calling, scoped Skills, CDP keyboard control, and a confirm-before-act security model. BYOK across 8 LLM providers (Claude, GPT, Gemini, DeepSeek + 4 China-region).

Platforms

Web Self-hosted

Languages

TypeScript

Links

Website Source Code
w
Published by
wiseriaai
Visit View Profile

README.md

View on GitHub
Pie

Pie

Browser-automation agent for Chrome — natural-language tasks executed through native tool calling, scoped Skills, CDP keyboard control, and a sandboxed, prompt-injection-resistant execution model.

Available in the Chrome Web Store

English · 简体中文

Install · Configure · Privacy · Changelog · Roadmap · Architecture · Archive

Why Pie

Pie turns Chrome into a browser-automation agent. Describe a task in natural language; the LLM plans steps and executes them through a typed tool registry — DOM actions, cross-tab orchestration, and CDP-level keyboard input for canvas editors that don't honor standard DOM events. Workflows can be saved as Skills with explicit tool whitelists. Tools run without per-action approval prompts; page content reaches the model only inside <untrusted_*> wrappers, tools are split into read vs. write classes with cross-session locks, and each session is sandboxed — so automation stays contained. BYOK: paste your own API key from any of eleven LLM providers — encrypted locally, no Pie backend, no telemetry.

  • Browser automation through native tool calling. The LLM uses Anthropic tool_use blocks or OpenAI function_calling to drive a typed tool registry — DOM actions (click, type, select, scroll, structured snapshot), cross-tab orchestration (list / activate / close / group / move / fetch readable content), and opt-in CDP keyboard injection (Input.dispatchKeyEvent, Input.insertText) for canvas editors like Lark Docs and Google Docs.
  • Skills as a first-class object. Save a prompt template with a scoped tool whitelist; run it as /skill_name. The agent can author its own skills too — gated by an 8-guard capability boundary so they cannot expand their own privileges.
  • Contained by design. Tools run without a per-action approval click. Containment comes from defense in depth: page and third-party content reaches the model only inside <untrusted_*> wrappers (prompt-injection defense), tools are classified read vs. write with cross-session write locks, and each session is sandboxed (its own port, pinned tabs, and CDP owner token). CDP keyboard injection is off until you opt in.
  • Multi-session, durable. Conversations survive Service Worker restarts; sessions are hard-deleted after 30 days with manual archive/restore support.
  • Side panel, not pop-up. Pie lives in Chrome's side panel and stays open while you browse — chat, run agent tasks, manage tabs without losing context.
  • BYOK. Bring your own API key from any of eleven LLM providers. Encrypted at rest with AES-GCM (key and data stored in local IndexedDB). No Pie backend, no telemetry, no proxy. See PRIVACY.md.

Features

Page understanding

Ask questions about the page you're on. Pie extracts visible text (with hardened scrubbing of credential fields) and sends only that to the LLM. Page snippets are wrapped in <untrusted_*> markers in the prompt to defeat prompt-injection attempts from page DOM.

Agent automation with tool calling

Describe a task in natural language. The LLM plans steps and executes them through Pie's tool registry, using your provider's native tool-calling protocol — Anthropic tool_use blocks for Claude, OpenAI function_calling for everyone else. The built-in toolset covers:

  • DOM actions — click, type, select, scroll, structured snapshot of interactive elements (links, buttons, inputs)
  • Cross-tab tools — list, activate, close, group / ungroup, move, fetch readable content from another tab
  • CDP keyboard (opt-in, off by default) — Input.dispatchKeyEvent and Input.insertText for canvas-based editors like Lark Docs and Google Docs, where standard DOM events are not honored
  • Skill meta-tools — the agent can create / update / delete / list its own skills (see Skill system below)

Three cross-tab skills ship built-in: auto_group_tabs, close_duplicate_tabs, close_inactive_tabs.

Skill system

Skills are saved prompt templates with explicit tool whitelists. Open Settings → Skills to create, edit, or delete your own — name, prompt template, parameter JSON schema, and the exact set of tools that skill is allowed to call. Run any skill from chat by typing /skill_name.

The agent itself can author skills via create_skill / update_skill / delete_skill meta-tools — useful for capturing a workflow the model just walked through, so it can be replayed in the next session. An agent-authored skill is tagged with author='agent' and is bound by the same capability-grant invariants below — it can only call tools it was explicitly granted and cannot widen its own privileges.

A skill cannot escape its declared tool whitelist. Eight capability-grant invariants are enforced on every skill mutation — hard size caps (≤8 KB prompt template, ≤2 KB parameter schema), forbidden meta-tool nesting, 1 MB per-installation storage budget, name validation against the live tool registry — so a runaway skill cannot widen its own privileges.

Safety model

Pie runs tools directly — there is no per-action approval card in the hot path. Safety is layered instead:

  • Prompt-injection containment. Page content, tab metadata, and skill arguments reach the model only inside <untrusted_*> wrappers, and never in the system prompt — so text in a page's DOM can't be read as a trusted instruction.
  • Read vs. write tool classes. Every tool is declared read or write at build time. Write-class tools are blocked from touching a tab another session has pinned (cross-session write lock), so concurrent sessions can't corrupt each other.
  • Per-session sandbox. Each session has its own streaming port, its own set of pinned tabs, and a CDP owner token, so one task can't hijack another's tab or debugger session.
  • CDP keyboard injection is off by default — you opt in from Settings before it can attach at all.
  • Skills can't self-escalate — enforced by the capability-grant invariants above.

The one approval you'll still see is at resume time: if you pause a task and its pinned tab was closed or navigated to a different origin, Pie shows a drift card before continuing rather than acting on the wrong page.

Supported providers

Provider Notes
Anthropic Claude Native API + native tool_use
OpenAI OpenAI function_calling
Gemini Native API
OpenRouter OpenAI-compatible
DeepSeek Anthropic-compatible
MiniMax Anthropic-compatible
GLM(Zhipu) OpenAI-compatible
Bailian OpenAI-compatible
Mimo(Xiaomi) Anthropic-compatible
Moonshot(Kimi) OpenAI-compatible · International api.moonshot.ai / China api.moonshot.cn (pick the matching entry to select region)
StepFun Anthropic-compatible

Adding a provider is a registry entry plus a host permission. Local Ollama is on the roadmap.

Install

Pie ships in two end-user channels and one source-build channel. Pick whichever fits.

Requires a Chromium-based browser with side-panel support — Chrome 114+, Edge, Brave, Arc, etc.

Option 1 — Chrome Web Store (recommended)

Install from the Chrome Web Store — click Add to Chrome, then pin Pie to the toolbar. Chrome keeps it up to date automatically.

Option 2 — GitHub Release zip (unpacked install)

For users who prefer to install the same artifact without the Web Store (e.g. an offline, self-managed, or policy-restricted setup):

  1. Download the latest pie-x.y.z.zip from the Releases page
  2. Unzip it to a directory you'll keep around (Chrome reads from this directory at runtime — don't delete it after install)
  3. Open chrome://extensions
  4. Enable Developer mode (top right)
  5. Click Load unpacked and select the unzipped directory
  6. Pin Pie to the toolbar; click the icon to open the side panel

Upgrading without data loss

Chrome derives the extension ID from the unpacked directory's path, and your sessions / encrypted API keys / Skills are scoped to that extension origin (IndexedDB + local storage). To carry them across releases, upgrade in place — don't unzip the new release to a different folder.

  1. Open chrome://extensions and find Pie's card. Note the unpacked directory path (shown under the card, or via Details → "Source")
  2. Delete the contents of that directory, but keep the directory itself
  3. Unzip the new pie-x.y.z.zip into that same directory
  4. Click the ↻ reload icon on Pie's card

⚠️ Do not click Remove on the old card. Remove drops the extension's local storage (IndexedDB + chrome.storage) along with the encrypted API keys and chat history. If you already removed it, re-add provider keys from Settings; chat history can't be recovered.

Web Store users (Option 1) skip this section — Chrome auto-updates the extension and storage carries over automatically.

Option 3 — Build from source (contributors)

If you want HMR, are sending a PR, or just don't trust prebuilt binaries:

git clone https://github.com/WiseriaAI/pie-ai-agent.git
cd Pie
pnpm install
pnpm build

Then load the generated dist/ directory as an unpacked extension (steps 3–6 above). For the inner dev loop see Development below.

Configuration

  1. Open the side panel and switch to the Settings tab
  2. Add a provider entry — paste your API key, choose a model
  3. Switch back to Chat and send a message

Your key is encrypted before it is stored locally (in IndexedDB). The encryption key itself is generated locally on first run and never leaves the device.

Privacy & security

  • BYOK: your API key never leaves the device, except as an Authorization header on direct provider API calls
  • All page content delivered to the LLM is wrapped in <untrusted_*> tags, hardening against prompt injection from page DOM
  • Tools run without a per-action approval prompt; containment comes from read/write tool classes with cross-session write locks and per-session sandboxing (isolated port, pinned tabs, CDP owner token)
  • No telemetry, no analytics, no third parties

Full policy: PRIVACY.md.

Development

pnpm install
pnpm dev          # Vite dev server with HMR
pnpm test         # Vitest, single run
pnpm test:watch   # Vitest, watch mode
pnpm build        # Production build to dist/

When developing, load the unpacked extension from dist/ (after the first pnpm dev run), and click the Reload button in chrome://extensions after each service-worker change.

Tech stack

  • Chrome Extension Manifest V3
  • React 19 + TypeScript 6
  • TailwindCSS 4 (Vite plugin, no config file)
  • Vite 8 + @crxjs/vite-plugin 2.4
  • pnpm

Project layout

Path Purpose
src/background/ Service Worker — message routing, agent loop dispatch, keep-alive
src/sidepanel/ React side-panel UI (Chat, Settings, session drawer)
src/lib/model-router/ Unified LLM interface; per-provider streaming + tool calling
src/lib/agent/ ReAct loop, tool registry, read/write tool classification, untrusted-content wrappers, prompt builder
src/lib/dom-actions/ Self-contained DOM action functions injected via executeScript
src/lib/skills/ Skill framework: types, storage, built-in skills
src/lib/sessions/ Session lifecycle: persistence, archive, multi-session sandbox

Architectural notes and invariant traces live in docs/solutions/. The project's compound-engineering notes and contributor guidance are in CLAUDE.md.

Roadmap

See docs/ROADMAP.md for the deferred-milestone backlog. Highlights:

  • Local model support via Ollama
  • Keyboard shortcuts
  • Page-URL-matched skill auto-trigger
  • Operation recording → skill autogeneration

Versioning & releases

Pie follows Semantic Versioning. Release notes live in CHANGELOG.md.

License

Licensed under the Apache License, Version 2.0 — © 2026 Pie Project Contributors.