When I first heard about Anthropic’s new Chrome extension for its Claude AI assistant, I’ll admit—I was intrigued. Who wouldn’t want an AI buddy that can help schedule meetings, fill out expense reports, or click through the endless maze of web tasks we all face every day? But then I learned something that stopped me in my tracks: it can also be tricked. Easily.
And that’s a problem. A big one.
What Claude for Chrome Actually Does
On Tuesday, Anthropic quietly launched “Claude for Chrome,” a new browser-based AI tool designed to live inside your browser as a kind of smart assistant. It lives in a sidebar and can see what you’re doing—like watching over your shoulder—but in a helpful way, at least in theory.
With your permission, Claude can:
- Manage your calendar
- Draft email replies
- Schedule meetings
- Handle expense reports
- Test website features
It essentially acts like an ultra-capable assistant that knows what you’re doing online and helps you do it faster. The extension builds on Anthropic’s earlier tool called “Computer Use,” launched in October 2024. That one let Claude control your mouse and take screenshots. This new Chrome version lets Claude integrate directly with websites—so it doesn’t just watch; it can actually click and type for you.
Photo by Dylan McLeod on Unsplash
Sounds handy, right?
A Research Preview… for a Reason
Only 1,000 users on the $100 to $200/month Claude Max plan are getting access—for now. And that’s not just to build hype. There’s a good reason Anthropic is calling this a “research preview.”
Testing revealed a startling vulnerability: Claude can be manipulated.
More specifically, it can be prompted—tricked—by invisible instructions embedded in websites. This type of attack is known as a “prompt injection.” Think of it as a malicious whisper in the AI’s ear.
In fact, Anthropic tested 123 examples across 29 potential attack types. Without added safeguards, Claude followed the bad instructions nearly 24 percent of the time. One example? An email told it to delete all of a user’s emails “for mailbox hygiene.” Claude did it. Just like that.
How They’re Trying to Keep It Safe
To their credit, Anthropic saw this coming and stacked the extension with a few layers of security:
- You can control access on a per-site basis.
- Claude now asks for confirmation before doing high-risk tasks like publishing content or buying stuff.
- It’s blocked, by default, from accessing financial services, adult content, and pirated websites.
With these in place, attack success dropped to 11.2 percent.
On a smaller, focused test of four types of attacks specifically designed for a browser environment, the fixes dropped success rates from almost 36 percent to zero.
Sounds better, sure. But there’s still that 11.2 percent risk looming over everyday use.
Photo by Hiroyuki Sen on Unsplash
Why Experts Are Still Nervous
Independent AI researcher Simon Willison—who literally coined the term “prompt injection”—didn’t mince words.
He called the 11.2 percent failure “catastrophic.” In his blog, he questioned whether it’s even possible to make these agent-style browser extensions safe at all. “I don’t think it’s reasonable to expect end users to make good decisions about the security risks,” he wrote.
He’s not alone in worrying. This isn’t just about Claude. AI assistants embedded directly into the browser are the new frontier. Perplexity launched “Comet” in July. OpenAI is testing an agent that navigates the web on behalf of users. Google’s been integrating its Gemini AI into Chrome, too.
Everyone’s racing to build this. But the risks aren’t just theoretical anymore.
What This Means for the Rest of Us
The Claude for Chrome preview is a fascinating look at what AI-driven computing might soon become. It shows us a future where your AI doesn’t just talk to you—it acts for you.
But that future comes with risk.
AI agents that can click, type, and act on their own are powerful. But if they’re also easily manipulated, that power backfires. Even with improved safety settings, today’s tools can still be tricked. And right now, the safety net isn’t strong enough.
So here’s the bottom line: If you’re using tools like this, you’re not just trusting the AI. You’re trusting every website it opens, every link it hovers over, and every email it reads.
Until the industry figures out how to really secure AI agents inside the browser, maybe watch your clicks—and your Claude—a little closer.
Keywords: Claude for Chrome, AI browser assistant, Anthropic Chrome extension, prompt injection, AI security risks, Claude AI, browser automation, AI safety, autonomous agents, AI Chrome tools
