The web browser is the next arena where cutting-edge AI companies will vie for your engagement. We are already utilizing AI chatbots within a web browser, yet tools like ChatGPT and Gemini do not perceive our activities in other tabs. It is necessary to import links and upload files while conversing with AI models about what we encounter online. Furthermore, chatbots, as they currently stand, cannot execute actions on our behalf across the internet, although some are gaining agent-like capabilities.
Several firms are crafting new online browsing experiences with AI at the forefront. Perplexity’s Comet browser exemplifies this trend. Microsoft has integrated Copilot features into the Edge browser, and there are speculations about OpenAI launching a ChatGPT browser in the future. As Google owns Chrome, it is likely that incorporating more Gemini features into it is just a matter of time. Other AI enterprises will introduce AI agents into existing browsers, with Anthropic being one of those, having unveiled a Claude for Chrome agentic AI experience recently.
Nevertheless, we are still in the initial stages of the Claude agent’s ability to monitor the websites you visit and assist with the content you explore. Not all subscribers of Claude will have access to Claude for Chrome. Only around a thousand testers who subscribe to the premium Claude tiers may have that opportunity. Anthropic is actively conducting rigorous security evaluations to enhance the experience and minimize the risk of Claude falling prey to covert attacks designed by malicious actors targeting AI chatbots.
How Claude for Chrome functions
Claude for Chrome represents an AI agent experience available to Chrome users following the installation of an extension. After that, you can click on the Claude button adjacent to the web address bar, opening a sidebar on the right side of the website you are visiting. This is where the chat interface exists for interacting with the AI agent and issuing commands.
The demonstrations showcased in the brief video above include searching online for real estate, summarizing documents, seeking a particular food item and adding it to the cart, and engaging with websites. Anthropic mentioned in a blog entry that Claude for Chrome will be capable of filling in forms and clicking buttons on the web to execute the desired tasks.
To utilize Claude for Chrome during its preview phase, you must be a Claude Max subscriber, which entails paying $100/month or $200/month for Max access. Max subscribers interested in experiencing the Claude agentic functionality in Chrome will need to sign up for a waitlist and await an invitation. Access will be rolled out gradually as the company seeks to enhance user safety.
Having AI agents like Claude for Chrome carry out tasks on your behalf may be an intriguing possibility, but it does entail certain risks. This is the key message from Anthropic’s announcement. The firm is introducing Claude for Chrome for limited public access in order to subject the agent to real-world scenarios. Internal testing has revealed that the Claude agent is vulnerable to a type of attack known as prompt injection. Hackers could embed commands for AI chatbots within web pages that are not visible to the user but can be interpreted by the AI.
Anthropic’s security concerns
Such prompt injections could deceive the AI into undertaking harmful actions, overriding the commands you intend to give the AI. For instance, prompt injection attacks could result in file deletions, data breaches, and illicit financial transactions. Anthropic outlined an experiment where an internal attack on Claude succeeded in instructing the AI to erase the emails in a user’s inbox. The prompt injection originated from a malicious email (illustrated above) which Claude read and acted upon. The email advocated for “mailbox hygiene,” leading to the deletion of other emails. The prompt indicated “no additional confirmation required.”
Anthropic evaluated 123 test cases across 29 attack scenarios using the AI agent’s experimental “autonomous mode.” Prior to implementing safety measures, the attack success rate stood at 23.6%. The AI company incorporated several protective measures that brought the attack rate down to 11.2%. In a security assessment targeted at specific attacks on browsers, the newly implemented security features plummeted the attack success rate from 35.7% to 0%.
The safeguards integrated into Claude for Chrome by Anthropic include adjustments to the system prompts that govern how the AI handles sensitive information and requests. The Claude extension is also restricted on particular high-risk websites, such as those involving financial services, adult content, and pirated material. The company is working on more sophisticated classifiers to identify “suspicious instruction patterns and unusual data access requests.”
However, Anthropic asserts that the primary defense against prompt injections lies in permissions. Users will have the ability to grant and revoke Claude’s access to specific websites via the Settings. Equally significant is the fact that Claude will refrain from undertaking sensitive actions (e.g., publishing, purchasing, sharing personal data) without explicit human confirmation. When operating in autonomous mode, Claude will still apply safeguards for sensitive operations.
