OpenClaw changed how a lot of us think about AI agents — connecting LLMs directly to your filesystem, messaging platforms, and execution environments so they can actually get stuff done in the real world. It's powerful. It's also terrifying from a security standpoint if you're running it with unrestricted native privileges on your actual machine. One developer asked the obvious question: what if we built all that capability but sandboxed it entirely inside Chrome? The answer is Chaos, and it's wild.

Architecture: A Mini-OS Living in Your Browser

Chaos — named as an acronym for 'Chrome Agent Operating System' (yes, they thought of the name first) — packages everything as a Manifest V3 Chrome Extension coordinating with a Deno Deploy relay server. The codebase splits into five modular packages using npm workspaces: extension (the Chrome host client), agent-loop (provider-agnostic autonomous execution), sdk (shared TypeScript library for hooks and channels), tui (an Ink-based terminal dashboard), and server (Deno Deploy relay). Everything stays sandboxed through Origin Private File System, with each agent getting its own isolated directory containing CLAUDE.md instructions, activity logs, TODO lists, and topic-specific memories.

The Master Agent Hierarchy

The system doesn't rely on a single monolithic AI. Instead, Chaos implements a hierarchical master-worker architecture where a designated Master Agent has exclusive access to system-management tools like create_agent, assign_task, find_agent, and delete_agent. Specialized role templates exist for researcher, coder, writer, planner, reviewer, and general-purpose tasks — each provisioned with distinct personas loaded from templates into their isolated directories. The self-evolution model lets agents edit their own CLAUDE.md instructions over time, adapting behavior based on your preferences and interaction patterns.

TweetDeck UI Meets Agent Pool Management

Most AI chat interfaces lock you into a single conversation column. Chaos flips this with a TweetDeck-style multi-column layout where you can pin side-by-side columns for different agents — one for your Master agent, another for background research jobs, a third for code generation tasks. The modular design extends beyond Chrome too: packages/tui compiles an Ink-based interactive terminal dashboard using React Ink, letting developers manage their entire agent pool from the command line without touching the browser UI at all.

Hooks, Triggers, and Self-Modifying Agents

This is where it gets interesting. Chaos implements 14 reactive hook trigger types that hook directly into native Chrome events — bookmark-created, tab-navigated, download-completed, history-visited, idle-changed, context-menu clicks, omnibox input, and more. When an event fires, the background service worker captures it, builds a prompt, and launches an autonomous agentic loop in the background without interrupting your active tabs. But here's the kicker: because all configuration tools are exposed as standard tool definitions to the agents themselves, an agent can dynamically create its own hooks. A deep research agent working on 'security' topics can register a new context menu option like 'Send to Sandbox Research Folder', use it to gather content, then clean up after itself when the task completes.

Temporal Hooks and Recursive Self-Configuration

Beyond standard event triggers, Chaos leverages chrome.alarms for time-based autonomous wakeups. Tell the agent 'Check my Deno deploy queue every 3 hours' and it registers a chrome.alarms trigger under the hood — no bloated backend cron required. The recursive hook spawning is where things get philosophical: ask the Master agent to monitor downloads for PDFs containing the word 'security', summarize them, and you get a primary download-completed hook with filename filtering that spawns sub-agents which can register their own secondary hooks if conditions aren't met. Agents essentially construct their own sensory networks based on active work context.

External Channels and MCP Tunneling

Browser extensions can't receive incoming connections — they're stuck behind the browser's networking stack with no public IP or open ports. Chaos bridges this gap through a Deno Deploy relay server that handles WebSocket pairing, REST API routing, and platform-specific bot bridges for Telegram and Discord. Generic webhooks work as one-way inbound channels where external services POST data and must poll for agent replies; bidirectional platforms like Telegram get instant reply routing back through the native chat context. Perhaps most powerful: MCP tunneling exposes local browser capabilities (tab reading, bookmark management, OPFS file lookups) directly to IDEs like Cursor or Claude Code via JSON-RPC over WebSocket — no vulnerable desktop ports or native binaries needed.

Security and the Manifest V3 Catch-22

Chaos enforces ECDSA P-256 request signing where all outgoing replies get signed with a private key that the relay validates against X-Timestamp (within a 5-minute window) and random nonces to prevent session hijacking. But here's the irony the developer acknowledges: while they built an incredibly capable, dynamically self-modifying agent environment, shipping it through official Chrome Web Store channels might be impossible. Manifest V3 strictly prohibits extensions from executing remotely fetched code — which creates a philosophical problem when your 'code' is prose prompts that an LLM compiles into tool calls and actions in real-time.

The Bottom Line

This project proves the browser sandbox isn't just about safety — it's becoming a legitimate runtime for sophisticated multi-agent systems. Whether Chrome's security policies will evolve to accommodate prompt-as-code architectures remains unclear, but Chaos demonstrates what's possible when you treat the web platform as the operating system it already is.