Claude for Chrome
Last reviewed
Jun 3, 2026
Sources
6 citations
Review status
Source-backed
Revision
v1 · 1,158 words
Improve this article
Add missing citations, update stale details, or suggest a clearer explanation.
Suggest edit
CtrlK
Last reviewed
Jun 3, 2026
Sources
6 citations
Review status
Source-backed
Revision
v1 · 1,158 words
Add missing citations, update stale details, or suggest a clearer explanation.
Claude for Chrome is an agentic browser extension from Anthropic that lets its Claude models perceive a Chrome browser window and take actions in it, including reading pages, clicking buttons, navigating between sites, and filling out forms on a user's behalf. Anthropic announced it on August 26, 2025 as a research preview, initially limited to a small group of subscribers, and framed it primarily as an experiment in learning to defend against the security risks that come with giving an AI agent control of a browser. [1][2]
The extension grew out of Anthropic's earlier computer use work, a capability released in October 2024 that allowed Claude to operate a computer by viewing the screen and controlling a virtual mouse and keyboard. That first version was widely described, including by Anthropic and by reporters, as slow and unreliable for anything beyond simple tasks. [2] Claude for Chrome narrows the surface from a whole desktop to a single browser, which is where many routine knowledge-work tasks already happen.
By 2025 the browser had become a contested area for AI companies. Perplexity had shipped its Comet browser, OpenAI was reported to be working on browser integrations, and Google was building agentic features into Chrome itself. Anthropic positioned its extension as part of that shift toward agents that act inside the tools people already use rather than in a separate chat window. [1][2]
At launch the preview was offered to roughly 1,000 subscribers on the Claude Max plan, Anthropic's highest consumer tier, which at the time cost between $100 and $200 per month depending on usage limits. The company opened a waitlist for other Max users who wanted access. [1][2] Anthropic was explicit that this was a deliberately constrained rollout: the stated goal was to study real-world behavior and gather data on attacks before expanding availability. [1]
Once installed, the extension adds a side panel (Anthropic called it a sidecar) where a user chats with Claude while it keeps context on whatever is open in the browser. With permission, Claude can then carry out multi-step tasks across one or more tabs. Internally, Anthropic said staff had used early versions to manage calendars, schedule meetings, draft email replies, handle expense reports, and test website features. [1]
The preview later widened. Anthropic's release notes record an expansion to all Max subscribers in late November 2025 and broader availability to Pro, Team, and Enterprise plans in December 2025. [3] Those later stages are beyond the original announcement covered here.
Within a granted session, Claude can see the content of the active page, click interface elements, type into fields, submit forms, and move between pages and tabs to complete a request. Users control which sites Claude may touch through site-level permissions, and Team and Enterprise administrators can configure allowlists and blocklists for their organizations. [1][3]
Certain actions are gated behind explicit confirmation. By default Claude asks before doing things Anthropic classifies as high risk, such as making a purchase, publishing content, or sharing personal data, rather than performing them autonomously. The company also blocked the agent outright from categories of sites it considered too dangerous to operate on, including financial services, adult content, and sites offering pirated material. [1][2]
The announcement devoted much of its length to prompt injection, the class of attack in which malicious instructions are hidden inside content the agent reads (a web page, an email, a document) so that the agent follows the attacker's commands instead of, or in addition to, the user's. Anthropic argued that this risk is not theoretical for browser agents and that it was releasing to a limited audience specifically to harden the system against it. [1] Around the same period, the browser company Brave publicly documented indirect prompt-injection weaknesses in Perplexity's Comet, underlining that the problem was industry wide. [2]
Anthropic reported results from adversarial testing run over 123 test cases spanning 29 attack scenarios. In autonomous mode without the new defenses, deliberately targeted attacks succeeded 23.6% of the time. With a set of mitigations enabled, including system prompts that steer Claude away from suspicious instructions, action confirmations, and classifiers that scan untrusted content for injected commands, the success rate fell to 11.2%. Anthropic described that figure as a meaningful improvement over its existing computer use capability, though it did not publish a single comparison number for that earlier system. [1]
A separate, harder evaluation focused on browser-specific tricks: a challenge set of four attack types such as malicious form fields hidden in a page's Document Object Model and instructions smuggled through URLs or tab titles, none of which a human would see. On that set the new mitigations cut the attack success rate from 35.7% to 0%. [1]
| Evaluation | Attack success rate without mitigations | With mitigations |
|---|---|---|
| Autonomous mode, 123 test cases across 29 scenarios | 23.6% | 11.2% |
| Browser-specific challenge set (4 attack types) | 35.7% | 0% |
Anthropic was careful not to claim the problem solved. It said it wanted to widen the range of attacks under consideration and push the remaining percentages closer to zero before general release, and acknowledged that some vulnerabilities still needed fixing. [1] That caution proved warranted: in late 2025 and early 2026, outside security researchers disclosed real flaws in the extension, including a chained zero-click prompt-injection vulnerability dubbed ShadowPrompt that combined an overly permissive origin allowlist with a cross-site scripting bug, which Anthropic patched. [4]
Coverage treated the launch as significant but framed it around the security tradeoff rather than the feature set. TechCrunch described the extension as a Claude agent that lives in Chrome and noted that browser control had become the next battleground for AI labs. [2] The Register characterized the release as Anthropic teasing the product alongside unusually heavy safety warnings, reflecting how prominently the company foregrounded prompt-injection risk in its own announcement. [5] Security-focused outlets and independent researcher Simon Willison highlighted the published attack numbers as a relatively candid disclosure for a consumer launch, while cautioning that an 11.2% residual rate against motivated attackers was far from safe for unsupervised use. [1][6]
The extension fits alongside Anthropic's other agentic efforts, including Claude Code for software tasks in the terminal and later collaborative agent products, as part of a broader move from a chat assistant toward systems that take actions in real environments. [1]