Anthropic has begun testing a Chrome extension that allows its Claude AI system to operate inside the browser.
As part of a small research preview limited to around 1,000 paying subscribers on its Max plan, the feature, called 'Claude for Chrome,' positions the AI in a side panel where it can maintain context about ongoing browsing activity and, with user permission, carry out actions such as clicking buttons, filling in forms, and navigating between pages.
The move reflects a broader industry shift toward "agentic AI," which can described as systems designed not just to respond with text but to take multi-step actions in existing digital environments.
Browsers are an especially attractive frontier, since so much of modern work is carried out through web-based applications.
Anthropic is entering a space where several competitors are already active.
But unlike most, it's entering the battlefield with careful consideration.
We’ve developed Claude for Chrome, where Claude works directly in your browser and takes actions on your behalf.
We’re releasing it at first as a research preview to 1,000 users, so we can gather real-world insights on how it’s used. pic.twitter.com/lVDKhnPbHY— Anthropic (@AnthropicAI) August 26, 2025
Anthropic is an AI research and development company founded in 2021 by former OpenAI employees, including Dario and Daniela Amodei. Headquartered in San Francisco.
With focus creating reliable, interpretable, and steerable AI systems with an emphasis on safety and ethical considerations, the company came across this crossroad, where it wants to make the experience of using a browser more intuitive and powerful, but still safe.
Before this, Perplexity has launched its Comet browser with a built-in agent, OpenAI has been testing its Operator agent with ChatGPT Pro users, and Microsoft is adding computer-use features to Copilot Studio. Google has gone further by embedding its Gemini AI into Chrome itself, though the company faces complications from an ongoing antitrust case that has even raised the possibility of a forced Chrome divestiture.
While competitors have been relatively aggressive in rolling out browser-integrated AI, Anthropic is moving more cautiously.
The company has highlighted security concerns, particularly the risk of “prompt injection” attacks in which malicious instructions hidden in web pages or documents trick the AI into harmful actions. In internal testing, such attacks bypassed safeguards nearly a quarter of the time. With mitigations in place, the success rate dropped to around 11%, but the issue remains unresolved.
Because of these risks, Claude for Chrome comes with limits.
The AI is blocked by default from interacting with financial, adult, or pirated content sites, and it requires explicit user approval before performing higher-risk actions such as purchases or posting content. Anthropic has framed this pilot as a way to gather feedback and refine its defenses rather than a broad release.
Browser use brings several safety challenges—most notably “prompt injection”, where malicious actors hide instructions to trick Claude into harmful actions.
We already have safety measures in place, but this pilot will help us improve them.
Read more: https://t.co/aHRy6UNZp4— Anthropic (@AnthropicAI) August 26, 2025
While Anthropic is doing what it can to make it safe, the reliability and safety of such systems remain open questions.
Even Anthropic’s improved defenses still allowed more than one in ten malicious attempts to succeed, and adversaries are likely to adapt as the technology matures. That tension, between automation potential and security risks, will likely determine how quickly these tools move from controlled previews to mainstream deployment.
Claude for Chrome is therefore less a finished product than a signal.
It suggests that Anthropic intends to compete in the emerging browser-agent market but will advance cautiously, prioritizing safety research alongside capability.
Whether this careful approach proves a strength or a liability will depend on how the field evolves — and on how much risk users, especially enterprises, are willing to accept when granting AI agents access to the most important gateway in modern digital life: the web browser.
And here, Anthropic starts by releasing Claude as an agentic AI on Chrome, in order to test the water, and see what things go.
Read: Agentic Browsers Like Perplexity Comet Vulnerable To Indirect Prompt Injection, Said Brave
Max plan users can join the waitlist to test Claude for Chrome today: https://t.co/vd2KmxQJHp.
— Anthropic (@AnthropicAI) August 26, 2025
For users, as well as for businesses and developers, the implications are significant.
On the user side, agentic AI embedded in browsers could transform how people interact with the web. Instead of manually navigating through layers of interfaces, filling out repetitive forms, or juggling multiple apps, an AI agent could act as an intermediary. It can take instructions in natural language, and execute tasks directly within the browser.
From booking travel, managing online accounts, or even troubleshooting software could become faster and more accessible to non-technical users.
For businesses and developers, the rise of AI-powered browsers opens both opportunities, which include automating workflows that currently require expensive custom integrations or fragile scripting solutions. Startups might design services specifically optimized for AI interaction rather than human clicks, shifting the traditional model of web usability.
But again, in order for this kind of tool to work, the AI needs to handle a lot of thing, meaning that it needs to have permission to handle sensitive data and use it in sensitive environment. From financial dashboards to corporate intranets, to filling out usernames and passwords, and make purchases.
In other words, agentic AI is making browsers more than just a tool. People just need to trust it to use it.