Aug 27, 2025 12:40:00

The official extension 'Claude for Chrome' has been released, which allows you to use Claude as an agent on Chrome.

Anthropic's AI assistant,

Claude , is now available on the Chrome browser, Google's official extension, Claude for Chrome . With Claude for Chrome, you can instruct Claude to click buttons and fill out forms.

Piloting Claude for Chrome\Anthropic
https://www.anthropic.com/news/claude-for-chrome

We've developed Claude for Chrome, where Claude works directly in your browser and takes actions on your behalf.

We're releasing it at first as a research preview to 1,000 users, so we can gather real-world insights on how it's used. pic.twitter.com/lVDKhnPbHY

— Anthropic (@AnthropicAI) August 26, 2025

Anthropic states, 'We believe the emergence of browser-using AI is inevitable.' The reason is that so much work happens in the browser that giving Claude the ability to see what you see, click buttons, and fill out forms would greatly improve the browser's usefulness.

However, browser-based AI presents safety and security challenges that require stronger protections. By getting real-world feedback from trusted partners on the uses, shortcomings, and safety of AI, we can build robust classifiers and train future models to avoid undesirable behavior. This ensures that browser safety can keep up as capabilities evolve.

This effort is especially urgent, as resolving security issues will strengthen protections for Claude users and share our findings with all those building browser-based agents on the API. As part of this effort, Claude for Chrome has been released. At the time of writing, Claude for Chrome is in research preview, and testing will be conducted with 1,000 users of the paid 'Max' plan. Please note that because Claude for Chrome is still in research preview, there are still several vulnerabilities that need to be fixed.

Research Preview: Claude on Chrome - YouTube


Browser-based AI faces the threat of prompt injection attacks , where malicious attackers hide instructions in websites, emails, or documents to trick AI into performing harmful actions without the user's knowledge, potentially causing the AI to delete files, steal data, or perform financial transactions.

In fact, Anthropic reported that there were some worrying results when prompt injection attack countermeasures were not implemented on Claude for Chrome. Anthropic tested a wide range of hostile prompt injection attacks, evaluating 123 test cases corresponding to 29 different attack scenarios. The results showed that unprotected browsers had a 23.6% success rate against intentional attacks by malicious attackers.

As an example of a successful attack before the new defenses were implemented, Anthropic cites a malicious email claiming that the email needed to be deleted for security reasons. Claude followed the instructions and deleted the user's email without confirmation.

By implementing a countermeasure, Anthropic was able to prevent some prompt injection attacks. For example, if Claude received a malicious email claiming to delete the email for security reasons, the new countermeasure would recognize it as a suspicious security incident email that appeared to be a phishing attack.

The first line of defense against prompt injection attacks is permissions. Users have control over what Claude for Chrome can access and do. For example, users can grant or revoke Claude's access to specific websites at any time in settings. Claude also always prompts users for confirmation before performing high-risk actions, such as publishing, purchasing, or sharing personal data. Even if users select the experimental 'autonomous mode,' Claude will maintain certain safeguards for sensitive actions.

Additional safeguards have also been built in line with

the Trusted Agent principle : improved system prompts instruct Claude on how to handle sensitive data and how to respond to requests for sensitive actions.

Claude has also been blocked from accessing websites in certain high-risk categories, such as financial services, adult content, and pirated content. Anthropic has also begun building and testing advanced classifiers to detect suspicious instruction patterns and anomalous data access requests, even in seemingly legitimate contexts.

Adding safety measures to the autonomous mode reduces the success rate of prompt injection attacks from 23.6% to 11.2%. The graph below shows the success rate of prompt injection attacks for the following operating systems: 'traditional computer control features,' 'traditional browser control features,' and 'Claude for Chrome with added safety measures.' Chrome with added safety measures recorded the lowest success rate.

Specialized training and mitigations were conducted, focusing on new browser-specific attacks, such as malicious form fields hidden in the document object model of a web page, and hard-to-detect injections that are visible only to the agent, such as URL text and tab titles. In a 'challenge' set consisting of four browser-specific attack types, the new mitigations successfully reduced the success rate of attacks from 35.7% to 0%.

You can apply to participate in the Claude for Chrome research preview below.

Claude for Chrome
https://claude.ai/chrome