Connecting AI tools to anything that contains loads of personal information has always felt like a step too far for me. Claude has been the only AI tool I've stuck with for this long and is usually the first, or only, one I open every day. But I'm not a security expert, and the things I keep reading from people who actually are have made me cautious about hooking it up to my real accounts and tools that span beyond work and projects, stuff where much more of my personal data lives.

Calendar invites alone can carry prompt injections in their descriptions, which is part of why I built my own little calendar artifact in Claude for keeping track of my tasks rather than connecting the real one. Gmail's the same story (though I didn't actually build my own webmail client, I just don't have it connected). So when Claude in Chrome rolled out, it wasn't a difficult call for me to just ignore it. And the last few months of security news have only made me more sure about that choice.

Want to stay in the loop with the latest in AI? The XDA AI Insider newsletter drops weekly with deep dives, tool recommendations, and hands-on coverage you won't find anywhere else on the site. Subscribe by modifying your newsletter preferences!

How Claude actually gets into your browser

The two parts that are distinct but related

Claude in Chrome is still in beta despite being available for almost a year now. Anthropic calls it a research preview on its help pages and the Chrome Web Store listing flags it as Beta too. It's open across all paid plans now.

What it actually is, in practice, is a browser extension that opens as a sidebar in Chrome. You just sign in with your Claude account and the extension becomes an agent that can see the page in front of you and act on it. It does the obvious stuff (like navigation, clicking, and form filling) and can work across multiple tabs if you drop them into a group. This side of it works completely on its own so the desktop app doesn't have to be running for it to function properly.

Then there's the connector toggle inside the Claude desktop app itself in the Connectors window. This one only matters if you want the desktop app to be where you initiate browser actions from; so a regular chat, a Cowork session, or Claude Code can all push actions out through it. The extension still has to be installed in Chrome for this toggle to do anything, it's just permission for the desktop app to talk to the already-installed extension via Chrome's native messaging. Basically, it's like having the same hands and eyes in the browser, but a different remote control.

It's important to note that officially supported browsers are Chrome and Edge only. The Chrome Web Store listing itself says it's not supported on other Chromium-based browsers or on mobile. This means that Brave is the obvious one people might wonder about because it's Chromium too, but you'd have to manually copy native messaging configs around to get it working and Anthropic doesn't sanction that path.

So what could go wrong when you hook up Claude to your browser?

What an attack could actually look like and what compounds it

Prompt injection is the main headline risk and also the one that has me most cautious. The short version is that an AI agent can't reliably tell apart instructions from the person using it and instructions hidden in whatever it's reading. So on a webpage, those instructions can sit in invisible text or HTML comments, and researchers have even demonstrated payloads tucked into URL fragments after the # sign. The agent follows them because they look like part of the content it was asked to work with and it can't discern whether you put it there or not. And what makes browsers specifically worse than chat is the exposure: the agent is now reading whatever pages you happen to load, not just text you deliberately pasted into a conversation.

Then there's what a successful injection actually lets an attacker do, because it's more than just making the AI say something weird. The extension uses your already-logged-in browser sessions, so if the agent gets tricked, it acts as you on every site where you're already signed in. There's no password theft required because the session itself is the credential.

Data exfiltration is the other piece of all of this. A malicious instruction can have the agent read content from one tab and ship it out somewhere, usually by encoding the data into a URL it visits next, and nothing visibly happens because technically the agent is just doing what it was asked. Security researcher Simon Willison has a useful name for the combination at play here - the lethal trifecta - and a browser agent fits the description by default. The risks aren't theoretical either, which is the part that bothers me most…

What's already gone wrong

The security record so far

Two real incidents specifically involving this extension surfaced in the last six months, both disclosed by independent security researchers. Neither was hypothetical and both have full writeups out there if you want to verify any of this for yourself.

The first was published by Koi Security in March 2026 under the name ShadowPrompt. Researcher Oren Yomtov found a vulnerability that let any malicious website inject instructions into Claude in Chrome. Because the extension automatically reads the content of your active tab to understand the page, this didn't even require you to click anything, just loading the page was enough. The exploit chained an overly permissive origin allowlist in the extension's messaging architecture with the model's inability to separate data from instructions. Demonstrated capabilities included stealing Gmail access tokens and reading Google Drive contents, all without the user seeing any of it happen. Fortunately, Anthropic patched the origin flaw fairly fast.

Deals

Deals on AI software and subscriptions to boost security

Explore discounts on AI software, subscriptions, and productivity tools to secure and streamline workflows. Shop offers on security-focused apps, cloud services, developer tools, and related add-ons to save on safer, more capable AI setups.

The second was reported to Anthropic by LayerX in late April 2026 and disclosed publicly in May, namely ClaudeBleed. Researcher Aviad Gispan found that a completely separate, malicious Chrome extension with zero declared permissions could send commands directly to the Claude extension and have them execute. Essentially, any random extension already installed in your browser became part of Claude's attack surface. LayerX's demo had a fake extension instruct Claude to open a Google Drive file named Top Secret and share it externally.

They also bypassed Claude's ask-before-acting prompts by spamming approval messages until the system accepted them, which is actually crazy to me because that means you couldn't even prevent it by telling Claude not to execute without permission. Anthropic shipped a partial fix in version 1.0.70, but LayerX says the root cause still hasn't been fully addressed.

Thanks but no thanks

Claude isn't going anywhere as my main AI tool anytime soon. The Figma and Adobe Express connectors have actually been useful and I'll keep them running. But I think the browser is staying out, and my email and calendar are too. The convenience would be kind of nice but I'd need a much higher level of trust that isn't there yet.