"Agents that Prioritize 'Safety': The Day Claude 'Lives' in Chrome — Anthropic's Browser AI Agent Launches"

On August 26, 2025 (U.S. time), Anthropic announced a "research preview" of its AI agent "Claude for Chrome," which operates on Chrome. Initially, it will be offered exclusively to 1,000 subscribers of the Max plan, priced between $100 and $200 per month, with a waitlist available for the general public. By adding the extension, Claude will reside in the browser's side panel, allowing users to converse while maintaining the context of the page they are viewing. Furthermore, if permitted, Claude can perform certain actions like clicking buttons or filling out forms on behalf of the user.TechCrunch

According to Anthropic's official announcement, this pilot is a deliberately small-scale deployment aimed at confronting "safety challenges." Specifically, it combines defenses such as a design that allows users to manage permissions on a site-by-site basis, additional confirmations before high-risk operations (such as posting, purchasing, or sharing personal information), and default access blocking to specific categories like financial, adult, and pirated content. In experiments, the introduction of defenses against prompt injection reduced the attack success rate from 23.6% to 11.2%. Additionally, for four "browser-specific" attack sets, including hidden forms within the DOM and through tab titles, the success rate was reduced from 35.7% to 0% (though it is acknowledged that it is not yet complete).Anthropic

Why the Browser "Now"?

In the past year, "Browser × AI" has become the next battleground. Perplexity announced its own browser "Comet" with agent functionality, and rumors persist about OpenAI moving towards a similar experience. Google is advancing the integration of Gemini into Chrome. As browsers have become established as the "face of the OS," agents residing here hold the key to workflow entry points. Furthermore, amid rumors and market jitters about Google's antitrust trial (mentioning the potential sale of Chrome), companies are accelerating their strategies.TechCrunch

Initial User Experience and Recommended Use

Anthropic emphasizes the importance of "real-world feedback." Internal testing showed utility in routine tasks like calendar management, meeting coordination, email drafting, and minor site QA, while also confirming unresolved issues like prompt injection. Participants in the research preview are provided with safety guidelines such as not using it in sensitive areas like finance, legal, and medical and starting with trusted sites. Once access is granted, the extension can be installed from the Chrome Web Store.Anthropic

Social Media Reaction: Expectations and the "11.2%" Buzz

Immediately after the announcement, discussions on HN (Hacker News) spread, with comments like "reasonable for a very small rollout" and "but 11.2% is still high." There were in-depth questions about the safety threshold and cautious opinions that "completing the guardrails should come first."RedditHacker News

On X (formerly Twitter), the official account announced the launch. Posts were observed stating that it had become "visible in the Chrome Web Store" behind the waitlist. Meanwhile, there were also voices expressing concern, saying **"an attack success rate of 11.2% is 'Yikes!'"** This dichotomy of "expectations and safety" succinctly captures the atmosphere of the initial phase.X (formerly Twitter)

Additionally, an HN poster claiming to be a tester raised alarms about the extension using debugger privileges (high privileges derived from the Chrome DevTools Protocol) and pointed out the risks when combined with prompt injection. While noting that this is currently based on user observation and evaluation, permission design is one of the community's major concerns.Hacker News

Positioning: What Has Changed Since Last Year's "PC Operation Agent"?

In 2024, Anthropic introduced an experimental agent that directly operated PC screens, but at the time, "issues with speed and reliability" were pointed out. This time, by narrowing the "point of action" to the browser and designing permissions and defenses in stages, it gives the impression of moving towards a practical solution. However, the higher the **autonomous mode**, the greater the room for malfunction or manipulation. Starting small, applying safety valves, and nurturing defenses with the community—that strategy is evident.TechCrunchAnthropic

Competitive Comparison and Considerations for Introduction

• Perplexity Comet/OpenAI's Moves: Players with a foundation in search and exploration have high compatibility with browser-resident agents. Claude aims to differentiate itself with dialogue quality and a focus on safety.TechCrunch

• Deep Integration with Chrome vs. Cross-Browser: For enterprise introduction, integration with SaaS, ID platforms, and DLP is key. Minimizing browser permissions and ensuring auditability are essential.

• Best Practices for Safe Operation: Using a site permission list method, constant double-checking of sensitive operations, and combining with templated "confirmation prompts." Anthropic itself recommends referring to safety guides.Anthropic

How to Start (Current Status)

Currently, it is a pilot limited to 1,000 Max plan subscribers. If interested, register on the waitlist, and once access is granted, add the extension from the Chrome Web Store. It is practical to limit the evaluation period to non-sensitive tasks and start operations while finely setting permissions for each site.TechCrunchAnthropic

Powered by Froala Editor