Anthropic Just Launched A Claude Agent For The Chrome Browser, But Most Users Can't Have It

The internet browser is the next place where frontier AI firms will battle for your attention. We're already using AI chatbots inside an internet browser, but products like ChatGPT and Gemini do not see what we do in the other tabs. We have to import links and upload documents when chatting with AI models about things we see online. Also, chatbots in their current form can't perform actions on our behalf on the internet, though some are getting agentic powers.

Some companies are developing new internet browsing experiences with AI at the core. Perplexity's Comet browser is one such example. Microsoft has built Copilot features into the Edge browser, and OpenAI is rumored to release a ChatGPT internet browser in the future. Google owns Chrome, so adding more Gemini capabilities to it is probably only a matter of time. Other AI companies will bring AI agents to existing browsers. Anthropic is one of them, having announced a Claude for Chrome agentic AI experience on Tuesday.

However, these are only the early days for the Claude agent that can see the websites you visit and help you with the content you're browsing. Not all Claude subscribers will have access to Claude for Chrome. Only about a thousand testers who subscribe to the most expensive Claude tiers can hope to get access. Anthropic is currently conducting advanced security testing to further fine-tune the experience and reduce the risk of Claude being exposed to hidden attacks crafted by malicious individuals targeting AI chatbots.

Claude for Chrome is an AI agent experience available to Chrome users after they install an extension. Then, you can tap on the Claude button next to the web address bar, and you'll open a side panel on the right side of a website you might be visiting. That's the chat window where you can interact with the AI agent and provide instructions.

The examples in the short video demo above cover searching the web for real estate, summarizing documents, looking for a specific food item and adding it to the cart, and interacting with websites. Anthropic said in a blog post that Claude for Chrome will be able to fill forms and click buttons on the web to perform the desired tasks.

To experience Claude for Chrome during the preview mode, you have to be a Claude Max subscriber. That involves paying $100/month or $200/month for Max access. Max subscribers interested in testing the Claude agentic experience in Chrome will have to join a waitlist and wait for an invite. Access will expand gradually, as the company improves user safety.

Having AI agents like Claude for Chrome perform actions on your behalf might be an interesting prospect, but it comes with risks. That's the main point of Anthropic's announcement. The company is rolling out Claude for Chrome for limited public use so it can expose the agent to real life use cases. Internal testing has shown that the Claude agent can be exposed to a type of attack called prompt injection. Hackers might include instructions for AI chatbots in web pages that are invisible to the user but readable by the AI.

Those prompt injections might trick the AI to perform harmful actions, overriding the instructions you might give the AI. For example, prompt injection attacks can lead to file deletion, data theft, and fraudulent financial transactions. Anthropic detailed an experiment where an internal attack on Claude succeeded in telling the AI to delete the emails in a user's inbox. The prompt injection came via a malicious email (seen above) which Claude read and executed. The email called for "mailbox hygiene," and the deletion of other emails. The prompt said "no additional confirmation required."

Anthropic went through 123 test cases for 29 attack scenarios using the AI agent's experimental "autonomous mode." Before employing safety mitigations, the attack success rate was at 23.6%. The AI firm implemented various protections that reduced the attack rate to 11.2%. In a security test involving specific attacks targeting browsers, the new security features dropped the attack success rate from 35.7% to 0%.

The protections Anthropic built into Claude for Chrome include updates to the system prompts related to how the AI handles sensitive data and requests. The Claude extension is also blocked on certain high-risk websites, including financial services, adult content, and pirated content. The company is developing more advanced classifiers to "detect suspicious instruction patterns and unusual data access requests."

But Anthropic says the first line of defense against prompt injections is permissions. The user will grant and revoke access for Claude to see specific websites from the Settings. Also important is the fact that Claude will not take sensitive actions (publishing, purchasing, sharing personal data) without confirmation from a human. When Claude operates in the autonomous mode, it'll still employ protections for sensitive actions.