AI browser extensions
Are AI browser extensions safe?
Claude, ChatGPT, Codex and Gemini can now read and act inside your browser. That's genuinely useful, and it's a new attack surface. Here's what each one can access, the documented risks, and how to check what it really sees.
Why an AI extension is different from a normal one
A normal extension does one narrow thing. An AI browser agent reads the page you’re on and can act on it - click, type, navigate, submit - usually under a permission that reads “read and change all your data on all websites.” That makes the instructions it follows the security boundary. If a web page can smuggle in instructions the agent obeys - prompt injection - your logged-in sessions are the thing it acts against. Each page below breaks down exactly what that means for one tool.
Claude for Chrome · Anthropic
Claude for Chrome is a genuine Anthropic extension that reads your screen and acts on any site you're logged into. Anthropic's own red-team found targeted prompt injection succeeded 23.6% of the time without mitigations. Here's what it can access and how to check it.
ChatGPT in Chrome (Atlas + extensions) · OpenAI
There's no single "ChatGPT Chrome extension". OpenAI ships the Atlas browser and a modest search extension; most "ChatGPT sidebar" extensions are third-party, and several with 900k+ installs were caught stealing chats. Here's how to tell them apart and stay safe.
OpenAI Codex Chrome extension · OpenAI
OpenAI's Codex Chrome extension (launched May 2026) lets the Codex coding agent drive your real, signed-in Chrome - Gmail, internal tools and all. It requests read-and-change access to every website and your browsing history on every device. Here's what that means.
Gemini in Chrome · Google
Google's "Gemini in Chrome" is built into the browser, not an installable extension - so most "Gemini extension" search results are third-party. Here's what the official feature can access, the real vulnerabilities found in it, and how to spot the fakes.