An automated browser agent for any site.
Quill does tasks on a web page for you — filling forms, comparing options, driving multi-step flows — by text or voice. It reads the page’s accessibility tree, targets elements by data-testid or role, and asks before anything sensitive.
No pixel-based clicking. No screenshots. Just the DOM.
Two ways to ship
Embed the widget
Add one package and a proxy endpoint. Quill mounts in an isolated Shadow DOM — your styles and globals are untouched. Ship data-testids for deterministic targeting; it works without them too.
import { mountQuill, RemotePlanner } from "@quill/widget";
mountQuill({
planner: new RemotePlanner("/quill/agent"),
voice: true,
});
Install the extension
A Chrome (MV3) extension that brings Quill to any site you visit. Least-privilege by design — activeTab injection, no <all_urls>. Point it at a model proxy and go.
# Load unpacked (MV3) packages/extension → chrome://extensions # Or wire your own proxy in Options
How it works
Observe
Quill computes a compact accessibility snapshot of the page — roles, names, states, and stable refs — not raw HTML or pixels.
Decide
The model (via the AI SDK) plans the next small, verifiable step and calls one of Quill’s DOM tools.
Act
It clicks, types, or selects using native events frameworks expect — then re-observes and continues until the task is done.
The tool surface
Nine small, typed tools — defined once with Zod, shared across both distributions. The agent can only read and interact with parts of the page.
read_page
Compact accessibility snapshot with stable refs
query
Find elements by testid, role+name, or text
read_element
Full detail of one element: value, states, errors
click
Click a ref — sensitive clicks are gated
type
Type into inputs; never into password fields
select
Choose an option in a select, listbox, or radio
scroll
Scroll the page or a ref into view
wait_for
Wait for an element or URL change after an action
ask_user
Ask a question or request confirmation
Safe by default
Confirmation, in code
Submits, payments, deletions, and external navigation require explicit user approval — enforced by the tool layer, never by model compliance.
No-go zones
Site owners declare regions Quill will neither read nor touch, or restrict it to part of the app.
Passwords stay secret
Password fields are never read into model context, and Quill won’t type into them — it hands focus to you.
Prompt-injection aware
All page-derived content is delivered as untrusted data; page text can never redirect the agent.
See Quill drive a real form.
The demo runs entirely in your browser — no API key needed. Watch it read the page, fill the fields, and pause for your approval before submitting.
Open the live demo →