Agentic browsers promise to turn natural language into action: research a topic, book a flight, summarise your inbox. But the same capabilities that make them useful also make them dangerous. A February 2026 audit by Trail of Bits of Perplexity’s Comet browser showed how prompt injection could trick the agent into exfiltrating a user’s Gmail messages.
The finding is a concrete example of a long-warned risk. Once an AI agent can read email, browse websites and act on a user’s behalf, an attacker no longer needs to exploit a traditional software vulnerability. They can simply instruct the agent to do something harmful, embedded in content it is trusted to process.
How the attack worked
Trail of Bits applied threat modelling and prompt-injection testing to Comet, treating the browser as an autonomous system with access to sensitive data and external services. The researchers showed that malicious content — instructions hidden in a web page or email — could override the user’s task and direct the agent to perform unauthorised actions.
In the demonstrated scenario, the agent was manipulated into accessing Gmail and sending data out. The attack did not rely on a flaw in Gmail’s security. It relied on the agent’s inability to distinguish legitimate user intent from injected instructions in content it consumes.
This is the core prompt-injection problem. The model sees instructions everywhere: the user’s query, page content, email bodies, PDF attachments. Without a robust boundary between trusted and untrusted instructions, any source becomes a control channel.
Why agentic browsers are different
Traditional browsers execute code from websites, but that code is sandboxed and constrained by the same-origin policy, permission prompts and years of defensive engineering. Agentic browsers add a reasoning layer that can interpret ambiguous instructions, chain actions together and decide what to do next. That flexibility is the selling point — and what makes prompt injection consequential.
An agentic browser with access to email, calendars, documents and SaaS tools is effectively a privileged user. If an attacker controls its instructions, they can use those integrations to steal data, send messages, delete records or perform transactions. The attack surface is the model’s reasoning process, not the browser’s code.
What organisations should do
For firms evaluating or building agentic workflows, the audit is a reminder to treat these tools as high-risk integrations.
Restrict scope. An agent that can read email and browse the web is more dangerous than one that only searches Wikipedia. Start with narrow permissions and expand only when you understand the failure modes.
Require human approval for consequential actions. Sending email, exporting data, making payments and deleting records should not happen without explicit confirmation. The convenience cost is real, but so is the exfiltration risk.
Monitor agent behaviour. Logs should record not just what the user asked, but what the agent did, what content it consumed and what tools it invoked. Anomalous action chains should trigger review.
Assume prompt injection will succeed. Design the system so that a successful injection does not lead to catastrophic outcomes. This means least-privilege access, output filtering and clear separation between trusted system prompts and untrusted content.
The bottom line
Agentic browsers are a genuine leap in usability, but they reintroduce a classic security lesson: convenience and control are in tension. Trail of Bits’s audit shows the threat is no longer theoretical. Organisations that deploy these tools without adjusting their security model may find one injected instruction bypasses years of careful access control.