Anthropic pilots Claude for Chrome, a safer browser AI. Learn how the Chrome extension works, defenses against prompt injection, and how to join the waitlist.
Claude for Chrome: What’s New
Anthropic is piloting Claude for Chrome, a controlled research preview that brings its AI assistant into the browser. Read the original announcement here: Piloting Claude for Chrome. The goal is simple: let Claude see web pages, click buttons, and complete tasks in Chrome, while keeping safety and privacy front and center.
Why now? Much of our daily work lives in the browser. A capable, careful browser-using AI can draft emails, schedule meetings, complete forms, and test sites faster. But new power requires new guardrails. Anthropic is testing this extension with a limited set of trusted users to learn in real-world conditions and strengthen defenses before a broader rollout.
Why Browser-Using AI Matters
Claude already connects to calendars, documents, and apps. Adding a Chrome extension is the next step. With structured access to the web, Claude can perform tasks that would otherwise take many clicks. Internal trials showed clear gains for routine workflows: managing calendars, replying to emails, filing expense reports, and validating site features.
The promise is big: more automation with less friction. The challenge is bigger: the web contains malicious content that targets both people and agents. That is why Anthropic is prioritizing safety research now.
The Big Risk: Prompt Injection in the Browser
Prompt injection attacks try to trick AI agents into unsafe actions using hidden or misleading instructions. In a browser, those instructions can lurk in web pages, emails, documents, URLs, or even tab titles. The risks include deleting data, exfiltrating sensitive information, or making unapproved transactions.
Anthropic ran extensive red-team evaluations across 123 test cases and 29 attack scenarios. Without added mitigations in autonomous agent mode, targeted browser use showed a 23.6% attack success rate. One realistic case was a phishing-style email that instructed Claude to delete inbox messages without confirmation. The team used results like these to design and verify new safeguards.
Current Defenses and Safety Mitigations
Anthropic has deployed layered protections to reduce attack success and improve trust:
- Permissions-first design: Users control where Claude can operate.
- Site-level permissions: Grant or revoke access for specific domains at any time.
- Action confirmations: Claude asks before high-risk actions like publishing, purchasing, or sharing personal data.
- Autonomous mode safeguards: Even in autonomous mode, sensitive actions remain restricted and reviewed.
- Upgraded system prompts: Claude is instructed to handle sensitive data cautiously and to resist suspicious instructions.
- Category blocks: Access to high-risk site types (for example, financial services and adult or pirated content) is restricted.
- Advanced classifiers: Detection systems flag suspicious instruction patterns and unusual data access requests.
With these mitigations enabled in autonomous mode, Anthropic reduced the browser attack success rate from 23.6% to 11.2% — lower than its earlier, screen-only computer-use capability. On a targeted “challenge” set of four browser-specific attacks (including hidden malicious fields in the DOM, and injections via URL text or tab title), mitigations reduced the observed success rate from 35.7% to 0% in testing. The team stresses that continued testing is needed to expand coverage and push real-world risk closer to zero.
How the Pilot Works
The pilot focuses on learning from trusted users in real-world browsing. This helps Anthropic validate what works, find gaps, and iterate quickly. Insights from the preview will train stronger prompt-injection classifiers, improve the underlying models, and inform smarter permission controls.
Who should join: testers who are comfortable letting Claude perform actions in Chrome and who do not rely on the setup for safety-critical or highly sensitive work.
- Request access by joining the waitlist: claude.ai/chrome.
- Once admitted, install the extension from the Chrome Web Store and sign in with your Claude account.
- Start with trusted sites and low-risk workflows.
Safe Browsing: Best Practices
Keep risk low while you explore the Claude for Chrome preview:
- Use trusted, low-sensitivity websites first.
- Review and limit site-level permissions to what you need.
- Expect confirmation prompts for sensitive actions and read them carefully.
- Avoid use on sites with financial, legal, or medical data.
- Watch for signs of phishing or unusual instructions on pages or in emails.
- Report any suspicious behavior to help refine safety measures.
Anthropic provides a detailed safety guide in its Help Center. These practices, paired with built-in controls and classifiers, reduce exposure while enabling productive automation.
Why This Matters for AI Safety
Browser-using agents powered by frontier models are emerging fast. By researching browser AI safety now, Anthropic aims to protect users and share learnings with the wider ecosystem. The company’s trustworthy-agent principles, combined with red teaming and continuous feedback, create a path to safer autonomy at the interface where people do most of their work: the browser.
As the pilot progresses, Anthropic plans to broaden access, expand the library of tested attack patterns, improve classifiers, refine permissions, and strengthen default guardrails. The long-term aim: a powerful, responsible Chrome extension that helps users work faster while keeping security and privacy in focus.
Getting Started
If you’re ready to try the research preview, join the Claude for Chrome waitlist at claude.ai/chrome. Once you have access, install the extension, sign in, and begin with low-risk tasks on trusted sites. Share feedback on what works, where it struggles, and any edge cases you find. Your input will help shape safer, smarter browser-using AI for everyone.