diff --git a/browse/src/commands.ts b/browse/src/commands.ts
index 22c30694..9f2bf874 100644
--- a/browse/src/commands.ts
+++ b/browse/src/commands.ts
@@ -52,6 +52,11 @@ export const PAGE_CONTENT_COMMANDS = new Set([
   'console', 'dialog',
   'media', 'data',
   'ux-audit',
+  // snapshot emits aria tree with attacker-controlled aria-label strings.
+  // The sidebar's system prompt pushes agents to run `$B snapshot` as the
+  // primary read path, so unwrapped snapshot output is the biggest ingress
+  // for indirect prompt injection. Envelope it like every other read.
+  'snapshot',
 ]);
 
 /** Wrap output from untrusted-content commands with trust boundary markers */