This seems to be one of the eventual endgames for AI to have direct access to your browser so it can parse what you want exactly to get the data of what you need and gain the same in the process.
> Malicious actors can hide instructions in websites, emails, and documents that trick AI into taking harmful actions without your knowledge, including:
> * Accessing your accounts or files
> * Sharing your private information
> * Making purchases on your behalf
> * Taking actions you never intended
This should really be at the top of the page and not one full screen below the "Try" button.
> We’re launching with 1,000 Max users and expanding gradually based on what we learn. This measured approach helps us validate safeguards before broader deployment.
Somewhat comforting they’re not yolo-ing it too much, but I frankly don’t see how the prompt injection issues with browser agents that act on your behalf can be surmounted - maybe other than the company guaranteeing “we’ll reimburse you for any unintentional financial losses incurred by the agent”.
Cause it seems to me like any straightforward methods are really just an arms race between prompt injection and heuristic safeguards.
According to their own blog post, even after mitigations, the model still has an 11% attack success rate. There's still no way I would feel comfortable giving this access to my main browser. I'm glad they're sticking to a very limited rollout for now. (Sidenote, why is this page so broken? Almost everything is hidden.)
Most browser extensions you need to manually enable in incognito mode. This is an extension that should be disabled in normal mode and only enabled in incognito mode!
Hard pass, thanks. Claude code can be pretty amazing, but I need those guide rails -- being able to limit the scope of access, track changes with version control, etc.
Page is broken. Looking at the returned html it appears to not be populating the strings for the page itself, rather than a font loading or css error. The content just doesn't exist at the moment.
I love all the new AI improvements, but this is a _hard_ no for me.
Attack surface aside, it's possible that this AI thing might cancel a meeting with my CEO just so it can make time to schedule a social chat. At the moment, the benefits seem small, and the cost of a fallout is high.
Having played a LOT with browser use, playwright, and puppeteer (all via MCP integrations and pythonic test cases), it's incredibly clear how quickly Claude (in particular) loses the thread as it starts to interact with the browser. There's a TON of visual and contextual information that just vanishes as you begin to do anything particularly complex. In my experience, repeatedly forcing new context windows between screenshots has dramatically improved the ability for claude to perform complex intearctions in the browser, but it's all been pretty weak.
When Claude can operate in the browser and effectively understand 5 radio buttons in a row, I think we'll have made real progress. So far, I've not seen that eval.
I don't think we will get to a point where we can safely mitigate the risks associated with this. It is almost futile to pull this off at scale, and the so called "benefits" are not worth the tradeoff.
Personally, the only way I’m going to give an LLM access to a browser is if I’m running inference locally.
I’m sure there’s exploits that could be embedded into a model that make running locally risky as well, but giving remote access to Anthropic, OpenAI, etc just seems foolish.
Anyone having success with local LLMs and browser use?
So what’s the actual endgame here? If these agents eventually get full browser access, then whoever controls the browser effectively controls everything that we do online.
Today, most of these "AI agents" are really just browser extensions with broad permissions, piping whatever they see into an LLM. It works, but it feels more like a stopgap than a destination.
Imagine instead of opening a bank site, logging in, and clicking through forms, you simply say: “transfer $50 to savings,” and the agent executes it directly via the bank’s API. No browser, no login, no app. Just natural language!
The real question is whether we’re moving toward that kind of direct agent-driven world, or if we’re heading for a future where the browser remains the chokepoint for all digital interactions.
107 comments
[ 0.24 ms ] story [ 78.7 ms ] thread> * Accessing your accounts or files
> * Sharing your private information
> * Making purchases on your behalf
> * Taking actions you never intended
This should really be at the top of the page and not one full screen below the "Try" button.
Somewhat comforting they’re not yolo-ing it too much, but I frankly don’t see how the prompt injection issues with browser agents that act on your behalf can be surmounted - maybe other than the company guaranteeing “we’ll reimburse you for any unintentional financial losses incurred by the agent”.
Cause it seems to me like any straightforward methods are really just an arms race between prompt injection and heuristic safeguards.
https://i.imgur.com/E4HloO7.png
Attack surface aside, it's possible that this AI thing might cancel a meeting with my CEO just so it can make time to schedule a social chat. At the moment, the benefits seem small, and the cost of a fallout is high.
When Claude can operate in the browser and effectively understand 5 radio buttons in a row, I think we'll have made real progress. So far, I've not seen that eval.
I’m sure there’s exploits that could be embedded into a model that make running locally risky as well, but giving remote access to Anthropic, OpenAI, etc just seems foolish.
Anyone having success with local LLMs and browser use?
https://support.anthropic.com/en/articles/12012173-getting-s...
It's much less nice that they're more-or-less silent on how to mitigate those risks.
Ah, so the attacker will only get full access to my information and control over my accounts ~10% of the time. Comforting!
Today, most of these "AI agents" are really just browser extensions with broad permissions, piping whatever they see into an LLM. It works, but it feels more like a stopgap than a destination.
Imagine instead of opening a bank site, logging in, and clicking through forms, you simply say: “transfer $50 to savings,” and the agent executes it directly via the bank’s API. No browser, no login, no app. Just natural language!
The real question is whether we’re moving toward that kind of direct agent-driven world, or if we’re heading for a future where the browser remains the chokepoint for all digital interactions.