Claude for Chrome (now in pilot), Perplexity’s Comet, and Dia are all pushing the idea of a browser that doesn’t just display pages but acts within them. But as soon as you let an AI click, type, and execute, the hardest problem comes into view: security.
The quiet threat of prompt injection
Anthropic deserves credit for going deep on vulnerabilities in its Claude for Chrome pilot.
“Some vulnerabilities remain to be fixed before we can make Claude for Chrome generally available. Just as people encounter phishing attempts in their inboxes, browser-using AIs face prompt injection attacks—where malicious actors hide instructions in websites, emails, or documents to trick AIs into harmful actions without users’ knowledge.”
In red-team testing, Claude executed malicious instructions in nearly one in four targeted cases. With defenses such as site restrictions, confirmations, and domain blocking, the rate dropped to 11 percent. For browser-specific tricks like hidden form fields, the success rate fell from 35 percent to zero.
Publishing these numbers is significant. Transparency matters when the attack surface is any page on the internet.
The optimistic angle
This is not bleak news. First, we now have metrics—attack success rates, challenge sets, benchmarked defenses—that create a shared language for researchers, vendors, and enterprises. Second, mitigations are already in play: permission scaffolding, domain filters, and classifiers are being tested in live pilots. Third, vendors like Anthropic are treating security as a design pillar, not an afterthought—limiting early releases to small groups, requiring explicit consent for risky actions, and publishing residual risks.
Security is not a side concern for agentic browsers. It is the defining challenge that will determine whether they are trusted or discarded. The encouraging sign is that, unlike earlier waves of technology, this one is starting with adversarial testing and layered defenses built in.
The headwinds are real. But so is the progress. If the future of browsing is agentic, the real race is not who ships first—it is who builds the browser that can act safely.