Anthropic PBC, the startup developing the Claude Gen AI model family, announced the pilot of a browser extension on Tuesday that lets its AI model take control of users’ Google Chrome. The experimental browser-using capability, called Claude for Chrome, will be available for 1,000 users subscribed to the company’s Max plan for $100 or $200 per month. The company announced the extension as a controlled pilot for a small number of users so Anthropic can develop better security practices for this emerging technology. “We view browser-using AI as inevitable: so much work happens in browsers that giving Claude the ability to see what you’re looking at, click buttons, and fill forms will make it substantially more useful,” Anthropic said. The company said that early versions of Claude for Chrome showed promise in managing calendars, scheduling meetings, drafting email responses and testing website features. However, the feature is still experimental and represents a major new security concern, which is why it is not being released widely. Allowing AI models direct control of browsers means that they will encounter a higher chance of malicious instructions in the wild that could be executed on users’ computers, allowing attackers to manipulate the AI model. In experiments, Anthropic said prompt injection tests evaluated 123 attacks representing 29 different scenarios. Out of those, AI-controlled browser use without safety mitigation had a 23.6% success rate for deliberate attacks. “When we added safety mitigations to autonomous mode, we reduced the attack success rate of 23.6% to 11.2%, which represents a meaningful improvement over our existing Computer Use capability,” Anthropic said. Anthropic said for the pilot, users will be blocked from sites it considers “high-risk categories,” such as financial services, adult content and pirated content. The Anthropic team added that it will use insights from the pilot users to refine how prompt injection classifiers operate and how the security mechanisms work to protect users. By building an understanding of user behavior, especially unsafe behavior, and uncovering new attack patterns, the company said it hopes to develop more sophisticated controls for this type of safety-critical application.