Pie

Browser-automation agent for Chrome — natural-language tasks executed through native tool calling, scoped Skills, CDP keyboard control, and a sandboxed, prompt-injection-resistant execution model.

English · 简体中文 · 繁體中文 · Español (Latinoamérica) · 日本語 · Português (Brasil)

Install · Configure · Privacy · Changelog · Roadmap · Architecture · Archive

Why Pie

Pie turns Chrome into a browser-automation agent. Describe a task in natural language; the LLM plans steps and executes them through a typed tool registry — DOM actions, cross-tab orchestration, and CDP-level keyboard input for canvas editors that don't honor standard DOM events. Workflows can be saved as Skills with explicit tool whitelists. Tools run without per-action approval prompts; page content reaches the model only inside <untrusted_*> wrappers, tools are split into read vs. write classes with cross-session locks, and each session is sandboxed — so automation stays contained. BYOK: paste your own API key from any of eleven LLM providers — encrypted locally, no Pie backend, no telemetry.

Browser automation through native tool calling. The LLM uses Anthropic tool_use blocks or OpenAI function_calling to drive a typed tool registry — DOM actions (click, type, select, scroll, structured snapshot), cross-tab orchestration (list / activate / close / group / move / fetch readable content), and opt-in CDP keyboard injection (Input.dispatchKeyEvent, Input.insertText) for canvas editors like Lark Docs and Google Docs.
Skills as a first-class object. Save a prompt template with a scoped tool whitelist; run it as /skill_name. The agent can author its own skills too — gated by an 8-guard capability boundary so they cannot expand their own privileges.
Contained by design. Tools run without a per-action approval click. Containment comes from defense in depth: page and third-party content reaches the model only inside <untrusted_*> wrappers (prompt-injection defense), tools are classified read vs. write with cross-session write locks, and each session is sandboxed (its own port, pinned tabs, and CDP owner token). CDP keyboard injection is off until you opt in.
Multi-session, durable. Conversations survive Service Worker restarts; sessions are hard-deleted after 30 days with manual archive/restore support.
Side panel, not pop-up. Pie lives in Chrome's side panel and stays open while you browse — chat, run agent tasks, manage tabs without losing context.
BYOK. Bring your own API key from any of eleven LLM providers. Encrypted at rest with AES-GCM (key and data stored in local IndexedDB). No Pie backend, no telemetry, no proxy. See PRIVACY.md.

Features

Page understanding

Ask questions about the page you're on. Pie extracts visible text (with hardened scrubbing of credential fields) and sends only that to the LLM. Page snippets are wrapped in <untrusted_*> markers in the prompt to defeat prompt-injection attempts from page DOM.

Agent automation with tool calling

Describe a task in natural language. The LLM plans steps and executes them through Pie's tool registry, using your provider's native tool-calling protocol — Anthropic tool_use blocks for Claude, OpenAI function_calling for everyone else. The built-in toolset covers:

DOM actions — click, type, select, scroll, structured snapshot of interactive elements (links, buttons, inputs)
Cross-tab tools — list, activate, close, group / ungroup, move, fetch readable content from another tab
CDP keyboard (opt-in, off by default) — Input.dispatchKeyEvent and Input.insertText for canvas-based editors like Lark Docs and Google Docs, where standard DOM events are not honored
Skill meta-tools — the agent can create / update / delete / list its own skills (see Skill system below)

Three cross-tab skills ship built-in: auto_group_tabs, close_duplicate_tabs, close_inactive_tabs.

Skill system

Skills are saved prompt templates with explicit tool whitelists. Open Settings → Skills to create, edit, or delete your own — name, prompt template, parameter JSON schema, and the exact set of tools that skill is allowed to call. Run any skill from chat by typing /skill_name.

The agent itself can author skills via create_skill / update_skill / delete_skill meta-tools — useful for capturing a workflow the model just walked through, so it can be replayed in the next session. An agent-authored skill is tagged with author='agent' and is bound by the same capability-grant invariants below — it can only call tools it was explicitly granted and cannot widen its own privileges.

A skill cannot escape its declared tool whitelist. Eight capability-grant invariants are enforced on every skill mutation — hard size caps (≤8 KB prompt template, ≤2 KB parameter schema), forbidden meta-tool nesting, 1 MB per-installation storage budget, name validation against the live tool registry — so a runaway skill cannot widen its own privileges.

Safety model

Pie runs tools directly — there is no per-action approval card in the hot path. Safety is layered instead:

Prompt-injection containment. Page content, tab metadata, and skill arguments reach the model only inside <untrusted_*> wrappers, and never in the system prompt — so text in a page's DOM can't be read as a trusted instruction.
Read vs. write tool classes. Every tool is declared read or write at build time. Write-class tools are blocked from touching a tab another session has pinned (cross-session write lock), so concurrent sessions can't corrupt each other.
Per-session sandbox. Each session has its own streaming port, its own set of pinned tabs, and a CDP owner token, so one task can't hijack another's tab or debugger session.
CDP keyboard injection is off by default — you opt in from Settings before it can attach at all.
Skills can't self-escalate — enforced by the capability-grant invariants above.

The one approval you'll still see is at resume time: if you pause a task and its pinned tab was closed or navigated to a different origin, Pie shows a drift card before continuing rather than acting on the wrong page.

Supported providers

Provider	Notes
Anthropic Claude	Native API + native `tool_use`
OpenAI	OpenAI `function_calling`
Gemini	Native API
OpenRouter	OpenAI-compatible
DeepSeek	Anthropic-compatible
MiniMax	Anthropic-compatible
GLM(Zhipu)	OpenAI-compatible
Bailian	OpenAI-compatible
Mimo(Xiaomi)	Anthropic-compatible
Moonshot(Kimi)	OpenAI-compatible · International `api.moonshot.ai` / China `api.moonshot.cn` (pick the matching entry to select region)
StepFun	Anthropic-compatible

Adding a provider is a registry entry plus a host permission. Local Ollama is on the roadmap.

Install

Pie ships in two end-user channels and one source-build channel. Pick whichever fits.

Requires a Chromium-based browser with side-panel support — Chrome 114+, Edge, Brave, Arc, etc.

Option 1 — Chrome Web Store (recommended)

Install from the Chrome Web Store — click Add to Chrome, then pin Pie to the toolbar. Chrome keeps it up to date automatically.

Option 2 — GitHub Release zip (unpacked install)

For users who prefer to install the same artifact without the Web Store (e.g. an offline, self-managed, or policy-restricted setup):

Download the latest pie-x.y.z.zip from the Releases page
Unzip it to a directory you'll keep around (Chrome reads from this directory at runtime — don't delete it after install)
Open chrome://extensions
Enable Developer mode (top right)
Click Load unpacked and select the unzipped directory
Pin Pie to the toolbar; click the icon to open the side panel

Upgrading without data loss

Chrome derives the extension ID from the unpacked directory's path, and your sessions / encrypted API keys / Skills are scoped to that extension origin (IndexedDB + local storage). To carry them across releases, upgrade in place — don't unzip the new release to a different folder.

Open chrome://extensions and find Pie's card. Note the unpacked directory path (shown under the card, or via Details → "Source")
Delete the contents of that directory, but keep the directory itself
Unzip the new pie-x.y.z.zip into that same directory
Click the ↻ reload icon on Pie's card

⚠️ Do not click Remove on the old card. Remove drops the extension's local storage (IndexedDB + chrome.storage) along with the encrypted API keys and chat history. If you already removed it, re-add provider keys from Settings; chat history can't be recovered.

Web Store users (Option 1) skip this section — Chrome auto-updates the extension and storage carries over automatically.

Option 3 — Build from source (contributors)

If you want HMR, are sending a PR, or just don't trust prebuilt binaries:

hljs language-bash

git clone https://github.com/WiseriaAI/pie-ai-agent.git
cd Pie
pnpm install
pnpm build

Then load the generated dist/ directory as an unpacked extension (steps 3–6 above). For the inner dev loop see Development below.

Configuration

Open the side panel and switch to the Settings tab
Add a provider entry — paste your API key, choose a model
Switch back to Chat and send a message

Your key is encrypted before it is stored locally (in IndexedDB). The encryption key itself is generated locally on first run and never leaves the device.

Privacy & security

BYOK: your API key never leaves the device, except as an Authorization header on direct provider API calls
All page content delivered to the LLM is wrapped in <untrusted_*> tags, hardening against prompt injection from page DOM
Tools run without a per-action approval prompt; containment comes from read/write tool classes with cross-session write locks and per-session sandboxing (isolated port, pinned tabs, CDP owner token)
No telemetry, no analytics, no third parties

Full policy: PRIVACY.md.

Development

hljs language-bash

pnpm install
pnpm dev          # Vite dev server with HMR
pnpm test         # Vitest, single run
pnpm test:watch   # Vitest, watch mode
pnpm build        # Production build to dist/

When developing, load the unpacked extension from dist/ (after the first pnpm dev run), and click the Reload button in chrome://extensions after each service-worker change.

Tech stack

Chrome Extension Manifest V3
React 19 + TypeScript 6
TailwindCSS 4 (Vite plugin, no config file)
Vite 8 + @crxjs/vite-plugin 2.4
pnpm

Project layout

Path	Purpose
`src/background/`	Service Worker — message routing, agent loop dispatch, keep-alive
`src/sidepanel/`	React side-panel UI (Chat, Settings, session drawer)
`src/lib/model-router/`	Unified LLM interface; per-provider streaming + tool calling
`src/lib/agent/`	ReAct loop, tool registry, read/write tool classification, untrusted-content wrappers, prompt builder
`src/lib/dom-actions/`	Self-contained DOM action functions injected via `executeScript`
`src/lib/skills/`	Skill framework: types, storage, built-in skills
`src/lib/sessions/`	Session lifecycle: persistence, archive, multi-session sandbox

Architectural notes and invariant traces live in docs/solutions/. The project's compound-engineering notes and contributor guidance are in CLAUDE.md.

Roadmap

See docs/ROADMAP.md for the deferred-milestone backlog. Highlights:

Local model support via Ollama
Keyboard shortcuts
Page-URL-matched skill auto-trigger
Operation recording → skill autogeneration

Versioning & releases

Pie follows Semantic Versioning. Release notes live in CHANGELOG.md.

pie-ai-agent

Pie