Anthropic pilots Claude for Chrome, focusing on browser integration with added safety protections against prompt injection attacks. Image Source: ChatGPT-5
Anthropic Pilots Claude for Chrome with Safety Controls
Key Takeaways:
Anthropic is piloting a Claude for Chrome extension, starting with 1,000 Max plan users.
The tool lets Claude take actions inside the browser, including filling forms, managing email, and scheduling.
Prompt injection attacks pose major risks: initial testing saw a 23.6% success rate before safeguards.
New defenses—including permissions, confirmations, and classifiers—reduced browser-specific attack rates from 35.7% to 0%.
The pilot aims to gather real-world feedback to refine protections before broader release.
Claude Comes to the Browser
After months of connecting Claude to calendars, documents, and productivity tools, Anthropic is piloting a new frontier: Claude for Chrome. The company argues that browser-based AI is inevitable, since so much daily work happens online.
The Chrome extension allows Claude to view webpages, click buttons, and fill forms, letting it take actions on behalf of the user. Early testing within Anthropic showed Claude could help with managing calendars, drafting emails, processing expense reports, and testing website features.
But browser use introduces unique risks—particularly safety and security challenges that need strong safeguards before wide deployment.
The Security Challenge: Prompt Injection
One of the most serious threats is prompt injection, where malicious instructions are hidden in websites, emails, or forms to trick an AI into harmful actions, without the user’s knowledge. For example, a red-teaming test showed Claude following a malicious email’s instructions to delete all messages without confirmation.
Anthropic’s internal testing evaluated 123 test cases across 29 attack scenarios. Without mitigations, Claude for Chrome showed a 23.6% success rate when deliberately targeted by attackers.
The company also tested browser-specific attacks, such as malicious form fields hidden in the DOM (Document Object Model) or instructions embedded in URLs and tab titles that only AI agents can see.
Building Defenses
Anthropic has implemented several layers of defense:
Site-level permissions let users control which sites Claude can access and can be revoked at any time.
Action confirmations require approval for high-risk actions like publishing, purchases, or sharing personal data. Even in Claude’s experimental autonomous mode, critical safeguards remain in place for sensitive actions, and all safety testing was conducted under this setting.
Blocked domains prevent Claude from accessing high-risk categories such as finance, adult content, or pirated sites.
Improved system prompts and classifiers guide Claude on handling sensitive instructions and detect suspicious activity even in seemingly legitimate contexts.
Anthropic also aligned Claude for Chrome with its ‘trustworthy agents’ principles, improving system prompts to guide how the AI handles sensitive data and responds to requests for sensitive actions.
With these safeguards in place, Anthropic reduced the browser pilot’s attack rate significantly. In targeted tests, the attack success rate dropped from 23.6% to 11.2%, and for the toughest browser-specific attacks, from 35.7% to 0%.
Controlled Pilot Testing
To continue strengthening protections, Anthropic is launching a controlled pilot with 1,000 Max plan users. These trusted testers can install the Claude for Chrome extension via the Chrome Web Store and use it on approved sites.
The goal is to gather real-world feedback on vulnerabilities, user preferences, and attack patterns. Participants are advised to limit Claude’s browser use to trusted sites and avoid sensitive contexts such as financial, medical, or legal transactions.
Anthropic emphasizes that this is a research preview. Broader rollout will only occur once safety measures are more robust and attack success rates are further reduced. You can join the waitlist here.
Q&A: Claude for Chrome
Q: What is Claude for Chrome?
A: It’s a pilot Chrome extension that allows Anthropic’s Claude AI to view and interact with webpages, clicking, filling forms, and performing tasks.
Q: Who can access the pilot?
A: Anthropic is starting with 1,000 Max plan users, with broader expansion planned after safety testing.
Q: What are prompt injection attacks?
A: They are malicious instructions hidden in content (e.g., web pages or emails) that trick AI into harmful actions, like deleting files or exposing data.
Q: How effective are the safeguards so far?
A: Safety measures reduced attacks from 23.6% to 11.2% overall, and from 35.7% to 0% in specific browser attack tests.
Q: How can users join?
A: Interested users can join the waitlist at claude.ai/chrome and install the extension once approved.
Looking Ahead
Browser integration marks a major milestone in AI usability. By embedding Claude directly in Chrome, Anthropic is pushing AI toward becoming a true workplace assistant. But the risks are as great as the opportunities.
The success of this pilot will depend on whether Anthropic can continue to reduce vulnerabilities and prove that AI agents can operate safely inside browsers. If successful, it could set a benchmark for how other companies bring AI copilots into everyday workflows.
Anthropic’s approach contrasts with Perplexity’s Comet browser, which launched with consumer-facing features, while Claude for Chrome begins in a tightly restricted research preview to prioritize safety.
For users and businesses alike, the message is clear: the future of browser-based AI will hinge not just on what these tools can do, but on how safely they can be trusted to act on our behalf.
Editor’s Note: This article was created by Alicia Shapiro, CMO of AiNews.com, with writing, image, and idea-generation support from ChatGPT, an AI assistant. However, the final perspective and editorial choices are solely Alicia Shapiro’s. Special thanks to ChatGPT for assistance with research and editorial support in crafting this article.