Companion to our earlier post on “How to Prevent AI Prompt Injection.” This post explores agentic browsing, why Comet and similar tools are gaining traction, and how scoped automation workflows offer a safer path. Please note that this information is not meant to be a complete or exhaustive guide, but rather a starting point to help you explore the topic and conduct your own research.
Comet is Perplexity’s AI-powered browser. Based on Chromium – which underpins both Google Chrome and Microsoft Edge – it includes an assistant that can summarize pages, navigate forms, and interact with connected services such as Gmail and Calendar. These connectors make it more than a search tool: it’s an action layer on top of the web. It promises to do your shopping and book your dinner reservations for you… although, as with early version of LLMs, it’s maybe not ready for primetime. We tried to book a restaurant reservation and it spent several minutes and eventually booked it for the wrong week; it took us three clicks and a few seconds to do it manually.
More broadly, agentic browsing describes any AI that can read a web page, decide what to do, and act. Google’s Project Mariner prototype shows this “observe, plan, act” loop in action: it watches your browser session, plans steps, and executes them automatically. It can even “teach and repeat” tasks. That makes agentic browsers feel less like search engines and more like coworkers who can click for you. The value proposition and time savings are obvious – however, it introduces new security risks that you should consider.
AI-assisted browsing is growing quickly. A 2025 AP-NORC survey found that 60 percent of U.S. adults use AI to search for information; Pew reports that about 1 in 10 adults sometimes get news through AI chatbots. Meanwhile, Similarweb data show “zero-click searches” rising from 56 percent to 69 percent year-over-year after Google’s AI Overviews launch. If people already expect answers on one page, it is a short leap to an agent that acts for them. As you, your family members, or others at your business adopt agentic browsing, you should be careful to follow some security best practices.
In our earlier article How to Prevent AI Prompt Injection, we explained how hidden text can manipulate an AI workflow that reads outside data. Security researchers at LayerX revealed a one-click exploit of this nature nicknamed CometJacking. When a user clicks a specially crafted link, it silently triggers the browser’s AI to retrieve private data such as Gmail messages or calendar entries, encode them in Base64, and send them to an attacker-controlled endpoint. The attack needs no credential theft because the agent already has authorized access. This is particularly dangerous in an agentic context, such as agentic browsing, because the agent has access to whatever you give it – and people often store credit card or banking information, or access to email or drive accounts that contain that information, in the browser.
Expanded attack flow — step by step
An attacker publishes a link or page that looks normal at a glance. It might be a shortened URL in a phishing email, a blog post, or a seemingly innocuous page element.
The link or page contains an instruction or payload framed so the agent treats it as a task. That payload can be visible text, hidden HTML comments, or metadata embedded in the page.
The user clicks the link while using an agentic browser that is signed into services such as Gmail, Calendar, or cloud drives.
The browser agent reads the malicious instruction and treats it as an authorized prompt. It executes the requested steps: open the inbox, read messages that match a pattern, extract fields, build a payload.
The agent obfuscates the data (for example by Base64 encoding) and transmits it to an attacker-controlled endpoint.
Because the agent had already-granted permissions, the whole process happens without any credential theft and can bypass protections that rely on passwords alone.
How this ties back to prompt injection
Prompt injection is the broader class of attacks where untrusted content contains instructions that trick an AI into doing something it should not. In our prompt-injection guide we covered how hidden text in emails, documents, or web pages can manipulate models that treat retrieved content as authoritative. CometJacking is the same underlying technique, but with a higher-impact outcome because the agent can act on what it reads instead of only generating text output. The core mechanics are shared: malicious instructions hidden in plain sight, the model treating retrieved content as an instruction, and automation magnifying the impact.
Compare and Contrast: Workflow Automation vs. Agentic Browsing Risks
Agentic browsing has meaningful risk. A browser agent like Comet or Project Mariner not only interprets text, but also clicks buttons, sends emails, or fetches data from connected accounts. A prompt-injection defense stops the AI from misunderstanding text; an agentic-browsing defense must also stop it from taking harmful actions after it misunderstands.
Scoped automation workflows have risk too, but it is lower and easier to manage. A workflow in n8n, Make, or Zapier executes predefined steps with narrow access: for example, reading a mailbox folder, drafting a report, or sending approved emails. Because every connection and permission is fixed, these workflows have limited “agency.” They cannot access or act upon all data, which drastically reduces exposure to hidden-prompt or CometJacking-style attacks.
By contrast, an autonomous agent can improvise. It may follow a hidden instruction in a webpage, access sensitive connectors, or perform unintended actions. That is why we recommend pairing your agentic tools with the same defensive mindset used in workflow automation: least privilege, human confirmation steps, and clear audit logs. For a refresher on those layered defenses, revisit our prompt-injection guide.
A Few Best Practices to Reduce Comet Browser Security Risks
As always, we caution that this is not intended to be comprehensive, but rather a starting point for your own research.
Treat links as potential agent commands. Avoid opening unknown or shortened links in an agentic browser. Use a standard browser profile with no sensitive logins for anything uncertain.
Disconnect high-value connectors. Keep Gmail and Calendar disconnected except when absolutely needed. Reconnect only for specific tasks.
Use separate profiles. Give your agent its own Chrome profile with no saved passwords or auto-logins, or only the minimal security credentials needed to accomplish the task at hand.
We hope this was helpful! Contact us if you have questions, and join our mailing list for future explainers on AI security as well as other topics.
