So we’ve reached the point where AI doesn’t just answer your questions. It actually does things. OpenAI shipped ChatGPT Atlas last October, Perplexity launched Comet, and suddenly everyone’s talking about AI browser agents that can navigate websites, fill out forms, and complete tasks while you go make coffee.
Sounds great until you think about it for more than five seconds.
What They’re Selling You
The pitch goes something like this: instead of clicking through twelve screens to book a flight, just tell your AI to handle it. The agent navigates to the airline site, enters your info, compares prices, books the ticket. You never touch the keyboard.
Here’s the problem. For any of this to work, the AI needs access to everything. Your email. Your calendar. Your contacts. Your passwords. TechCrunch talked to a bunch of security researchers about this back in October, and they were not exactly enthusiastic. These agents create an attack surface that traditional browsers simply don’t have.
Prompt Injection Will Ruin Your Day
The vulnerability everyone’s worried about is called prompt injection, and it works like this:
- An attacker plants hidden instructions on a webpage (invisible to you, perfectly readable by AI)
- Your agent visits that page and ingests the malicious text
- The agent gets confused about who’s giving orders and does what the attacker wants
If an agent falls for this, an attacker could steal your emails and personal data. They could make purchases on your behalf. They could post garbage to your social media. They could forward your entire contact list to some server in who knows where.
The really fun part? Nobody has solved this. OpenAI’s CISO Dane Stuckey said it plainly: “prompt injection remains a frontier, unsolved security problem.”
Perplexity’s security team was even more blunt. They wrote that prompt injection “manipulates the AI’s decision making process itself, turning the agent’s capabilities against its user.” That’s not reassuring!
Browsers Are Just the Start
What actually keeps me up at night is that browser agents are the easy case. The exact same vulnerabilities show up everywhere agents are taking actions.
Coding Assistants With Shell Access
AI coding tools can run commands now. They modify files. They can deploy code. So imagine you install some npm package that has hidden instructions buried in its README or sprinkled through code comments. A poisoned coding agent could run arbitrary commands on your machine. It could steal your API keys and credentials. It could push malicious commits to your repos. It could just delete everything.
Agents That Control Your Whole Computer
Apple and Google and Microsoft are all building AI that operates at the OS level. These agents need way more permissions than browser agents do. We’re talking access to every file, every application, every system setting.
A prompt injection attack against one of these could access literally any file you own. It could install malware. It could turn off your security software. It could watch your keystrokes and screenshots.
The Core Issue Nobody Can Fix
Steve Grobman, CTO at McAfee, nailed the root cause: LLMs can’t tell the difference between instructions from you (the user who’s supposed to be in charge) and data they encounter while doing a task (which might be malicious).
This isn’t a bug. You can’t patch it. It’s just how these models work. Everything looks like text. Your command and a hidden instruction on some sketchy website are indistinguishable from the model’s perspective.
Brave published research calling indirect prompt injection a “systemic challenge facing the entire category of AI powered browsers.” I’d go further. It’s a systemic challenge for all agentic AI, full stop.
The Arms Race Has Already Started
OpenAI and Perplexity have both shipped mitigations. OpenAI built a “logged out mode” where the agent browses without access to your accounts. This limits what attackers can steal, but it also makes the agent way less useful. Perplexity built a detection system that tries to catch injection attempts in real time.
These help. But as Grobman put it, “It’s a cat and mouse game. There’s a constant evolution of how the prompt injection attacks work.”
The first attacks were dumb. Just hidden text saying “forget all previous instructions.” Now people are embedding instructions inside images using steganography. The attacks are only going to get weirder.
What You Should Actually Do
Look, these tools are genuinely useful. People are going to use them. If you’re one of those people, here’s how to be less of an easy target.
First, use a unique strong password for any AI browser account. These are now high value targets for attackers.
Second, turn on multi factor authentication. Everywhere. Just do it.
Third, think hard about what you connect. Maybe don’t link your bank account or health portal or primary email to beta software that the creators admit has “unsolved” security problems.
Fourth, consider isolation. Use a separate browser profile for AI agents where you’re not logged into anything sensitive.
Fifth, stay paranoid. If the agent does something weird, don’t just accept it. Actually look at what happened.
Where This Is Going
We’re stuck in an awkward moment. These AI agents are useful enough that people want them, but they’re not secure enough to actually trust. The tech industry is basically asking regular users to beta test security models that haven’t been proven in the wild.
That’s not a reason to avoid agentic AI completely. The productivity gains are real. But it is a reason to think carefully about what permissions you hand over and what actions you let these systems take unsupervised.
The question isn’t whether agentic AI goes mainstream. It will. The question is whether the security catches up before we get a string of ugly breaches that make everyone regret trusting their inbox to a chatbot.
Looking at the current state of prompt injection defenses, I wouldn’t bet on the security side winning that race.
A Note for People Building This Stuff
If you’re working on AI agents or integrating LLMs that take actions in the world, please think about this seriously.
Follow the principle of least privilege. Only request the permissions you genuinely need.
Require confirmation for anything dangerous. Users should approve irreversible actions explicitly.
Treat external content as hostile. Because it might be.
Sandbox aggressively. Limit what a compromised agent can actually do.
Log everything. Make agent actions transparent so users (and you) can see what happened when things go wrong.
The technology is moving incredibly fast. Security needs to move faster, and right now it isn’t.
Next time an AI offers to handle something for you, maybe take a beat and think about what you’re actually giving it access to. That convenience has a cost, and we’re only starting to understand how steep it might be.