A study looking into agentic AI browsers has found that these emerging tools are vulnerable to both new and old schemes that could make them interact with malicious pages and prompts. According to an examination focused primarily on Comet, these tools were released with inadequate security safeguards against known and novel attacks specifically crafted to target them. Tests from Guardio, a developer of browser extensions that protect against online threats (identity theft, phishing, malware), revealed that agentic AI browsers are vulnerable to phishing, prompt injection, and purchasing from fake shops. In one test, Guardio asked Comet to buy an Apple watch while on a fake Walmart site the researchers created using the Lovable service. Although in the experiment Comet was directed to the fake shop, in a real-life scenario an AI agent can end up in the same situation through SEO poisoning and malvertising. The model scanned the site without confirming its legitimacy, navigated to checkout, and autofilled the data for the credit card and address, completing the purchase without asking for human confirmation. In the second test, Guardio crafted a fake Wells Fargo email sent from a ProtonMail address, linking to a real, live phishing page. Comet treated the incoming communication as a genuine instruction from the bank, clicked the phishing link, loaded the fake Wells Fargo login page, and prompted the user to enter their credentials. Finally, Guardio tested a prompt injection scenario where they used a fake CAPTCHA page hiding instructions for the AI agent embedded in its source code. Comet interpreted the hidden instructions as valid commands and clicked the ‘CAPTCHA’ button, triggering a malicious file download. Guardio underlines that their tests barely scratch the surface of the security complexities that arise from the emergence of agentic AI browsers, as new threats are expected to replace the standard human-centric attack models.