Form value injected with no keystroke or trusted paste (programmatic input)

bh.input_via_paste  ·  corroborates

behaviorallayer
behavioralcategory

What it catches

FP-Agent (arXiv 2605.01247, radar G15): LLM browser agents populate a form field via paste (Atlas/ChatGPT/Comet), CDP Input.insertText, Playwright fill(), or a direct .value set + dispatched input/change — the value appears with NO keydown on that field and no TRUSTED paste event. A human types (keydowns on the field) or pastes (a trusted ClipboardEvent). The collector (demo.py authoritative + collect.ts + livepage probes.ts) tracks, per form field, whether it received a keydown, a trusted paste, and a value change (input/change); a CHANGED field that got neither keydown nor trusted paste is programmatic injection. Server-prefill is excluded (it fires no input/change during the session). GROUNDED confirm-evades-first 2026-06-28: a Playwright page.fill() (sets value + dispatches input, no keydown) FIRES; page.type() (real keydowns per char) does NOT. Behavioral/corroborating + experimental: the residual FP is browser autofill (fills without keystroke/paste) — so it never convicts alone; calibrate-clean (browserforge has no input-interaction timeline, signal absent).

Signals it reads

behavioral.input_via_paste

How it fires

present

← all detections