A growing number of browsers are experimenting with agent features that will act for you, such as booking tickets or shopping for various items. However, the agent’s capabilities are as well come with Security Risks which may result in loss of data or money.
Google talks to handle user security in Chrome using Model and consent for user actions. Company preview Agent capabilities in Chrome in September And it says the feature will roll out in the coming months.
The company says it uses the help of several models to prevent agents from acting. Google says it is creating user critiques using Gemini to examine action items built by the planner model for specific tasks. If the criticism model thinks that the planned task does not monitor the user’s target, then it becomes the planner model to cancel the strategy. Google notes that the critic model only looks at Metadata of proposed actions and not the actual web content.
What’s more, to prevent agents from accessing unauthorized or untrusted sites, Google uses the Agent Origin set, which limits the model to access read-only origins and writable origins. The only start is the data that Gemini is allowed to use the content. For example, on a shopping site, the listing is relevant to the task, but the banner ad is not. In addition, Google says that its agents are only allowed to click or type ifart on certain pages.
“This deletion enforces that only data from a limited set is available to the agent, and this data can only be sent to the use of data that can be read. It also sends a browser that can be read,” the company said in a blog post.
Google also maintains page navigation by investigating URLs through other observer models. This can prevent navigation for maliciously modeled URLs, the company says.
The search giant said it is also giving up the reins to users for sensitive tasks. For example, when an agent tries to navigate to a sensitive site with information like banking or medical data, it first asks the user. For sites that require login, it will ask the user for permission to use the Password Manager. Google says that the agent model does not contain password data. The company added that it will ask users before acting like a buyer or sending a message.
TechCrunch events
San Francisco
I’m fat
October 13-15, 2026
Google said that, in addition to this, it also has a quick injection classification to prevent unwanted actions and also test the ability of agents against researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers made by researchers
AI browser manufacturers also pay attention to security. Earlier this month, worries were released A new open-source content detection model to prevent a rapid injection attack on the agent.