AI company enters competitive browser integration race with limited pilot program.
Anthropic announced Tuesday the launch of a research preview for Claude for Chrome, a browser extension that allows its AI assistant to interact directly with web pages and perform tasks on behalf of users. The extension is initially rolling out to 1,000 subscribers on Anthropic's Max plan, which costs between $100 and $200 per month, with additional users able to join a waitlist.
The Chrome extension represents Anthropic's latest move in the increasingly competitive AI browser integration space, where companies are racing to create seamless connections between AI systems and users' daily web activities.
How Claude for Chrome Works
The extension operates through a sidecar window that maintains context of everything happening in the user's browser. Users can chat with Claude while browsing and grant the AI permission to take actions such as clicking buttons, filling forms, and managing various web-based tasks.
"We view browser-using AI as inevitable: so much work happens in browsers that giving Claude the ability to see what you're looking at, click buttons, and fill forms will make it substantially more useful," - Anthropic stated in its announcement.
Internal testing has shown promising applications, with Anthropic employees using early versions to manage calendars, schedule meetings, draft email responses, handle routine expense reports, and test website features.
Safety Concerns and Mitigations
However, Anthropic has identified significant security vulnerabilities that must be addressed before wider release. The company conducted extensive testing that revealed concerning susceptibility to prompt injection attacks, where malicious actors hide instructions in websites to trick AI agents into harmful actions.
In their red-teaming experiments evaluating 123 test cases representing 29 different attack scenarios, Anthropic found that "browser use without our safety mitigations showed a 23.6% attack success rate when deliberately targeted by malicious actors."
One particularly troubling example involved a malicious email that instructed Claude to delete user emails without confirmation, which the AI followed when processing the inbox.
To combat these risks, Anthropic has implemented several defensive measures:
- Site-level permissions: Users can grant or revoke Claude's access to specific websites
- Action confirmations: Claude asks for permission before high-risk actions like publishing, purchasing, or sharing personal data
- Blocked categories: By default, Claude cannot access financial services, adult content, and pirated content websites
- Advanced classifiers: Systems designed to detect suspicious instruction patterns
These mitigations reduced the attack success rate from 23.6% to 11.2%, though Anthropic acknowledges more work is needed to reach near-zero vulnerability levels.
Previous Attempts and Evolution
This isn't Anthropic's first venture into computer control AI. In October 2024, the company launched an AI agent that could control PCs, though testing revealed that the model was "quite slow and unreliable.
Since then, the capabilities of agentic AI models have improved quite a bit, with modern browser-using AI agents proving fairly reliable at offloading simple tasks for users, though they still struggle with more complex problems.
Anthropic emphasizes that this research preview serves as a critical learning opportunity to identify and address safety risks before broader deployment. The company plans to use insights from the pilot program to refine its security measures and develop more sophisticated permission controls.
"Before we make Claude for Chrome more widely available, we want to expand the universe of attacks we're thinking about and learn how to get these percentages much closer to zero," the company stated.
