Everyday AI

Your browser can now click Buy for you. It reads the page's instructions too.

Google's auto browse lets an AI click and type across your tabs, in a US-only paid preview. The same agent obeys instructions hidden on the pages it reads. How to keep a hand on it.

A hotel concierge holds out a tray carrying a guest's house keys, wallet, phone, and a folded note as the guest wheels a suitcase toward the door.

You type “find me three plumbers and get quotes” into Chrome and walk away to make coffee. Gemini opens tabs, compares contractors, starts filling in the contact forms, and pauses at the send button to check with you. To do any of that, it reads every word on every page it lands on. Some of those words are there to steer the AI, placed by whoever controls the page.

This is already shipping. Google has auto browse, its name for an AI that browses and acts on your behalf, rolling out in preview to paying subscribers in the US, and by its own account the guardrails “don’t guarantee protection against all risks.”1 What you hand over is access: the Gmail it can read, the passwords it can use, the checkout it can complete.

Let a browsing agent run only the errands you would happily watch from start to finish. For anything that spends money, sends a message, or signs into a sensitive account, do not approve the confirmation prompt without reading it: on today’s version, that pause is the only safeguard left before the agent does something you can’t take back.

Walk away from it while it’s logged into your inbox, and a single page written to trick the AI can act with your full permissions. Nothing will surface as an error.

What you turned on can click, type, and sign in as you

Auto browse does more than answer. It works across your open tabs, chooses which sites to visit, can share your information with a site, and can pull in Google Password Manager to sign in for you.1 “Agentic” is the industry word for this. In plain terms: the AI does the clicking.

Handing this feature your browser is handing your unlocked laptop, your saved passwords, and your card to a stand-in who follows any instruction written on the page in front of them, then stepping out of the room. The stand-in is capable and well meaning. They also do exactly what that page says, whoever wrote it.

Underneath the analogy is a plain loop. The agent reads the current page, decides the next action, and performs it by clicking and typing, then reads the result and goes again. Every step it takes is chosen from what it just read.

You pay for this, and it lives in Chrome on a US desktop

It’s easy to picture this as something every phone now does automatically. It’s not. Auto browse is gated: it needs a paid Google AI subscription (AI Pro or AI Ultra), you must be 18 or over and in the US, and it runs on the desktop (Windows, MacOS, and Chromebook Plus).12 You pay for it, you switch it on yourself, and it runs in Chrome rather than deep in the operating system. Its top Ultra tier launched at $249.99 a month.3

Chrome auto browsePhone Gemini
Where it runsIn Chrome on desktop (Windows, MacOS, Chromebook Plus)OS-level on the phone, driving other apps
What you needPaid Google AI plan (AI Pro or AI Ultra; Ultra launched at $249.99/mo), 18 or overA newest flagship (Galaxy S26 or select Pixel 10)
AvailabilityUS onlyUS and Korea to start
What it can touchOpen tabs, sites it visits, your info, Google Password Manager sign-inA curated set of food, grocery, and rideshare apps
How you start itSwitch it on and type a task in ChromeA long press of the power button
MaturityPreviewEarly beta

Google is also testing an agent baked into the phone itself. Gemini Intelligence can drive other apps for you at a long press of the power button, but it’s an early beta on the newest flagships, the Galaxy S26 and select Pixel 10, scoped to a curated set of food delivery, grocery, and rideshare apps, in the US and Korea to start.45

So route yourself before you turn anything on:

  • This is for you if you’re a US desktop user on a paid Google AI plan with repetitive web chores (comparison shopping, form-filling, quote-gathering) and you’re willing to supervise them.
  • Skip it if you expected a free hands-off autopilot, or if you’d run it while logged into accounts you can’t afford to have act without you.

The failure that matters is a wrong action, taken with your accounts

When a chatbot is wrong, you get a bad sentence and you move on. When an agent is wrong, it does something: buys the wrong item, messages the wrong person, submits a form you can’t un-submit.

Ask it to cancel the streaming service you stopped watching. If it locks onto the wrong row in your account, it cancels the one you watch every night. It read the page correctly and still pulled the trigger one line off.

This is why people who build agents talk about blast radius: how far one wrong step can reach before something stops it. For an agent holding your logins, that reach is every account it can touch.

The harm is measured in actions now, taken with your credentials and hard to take back.

The page it is reading can hand it new orders

Here’s what makes an acting agent different from a merely careless one. Because every step is driven by what the agent reads, whoever controls the page controls part of the instructions. Google calls it prompt injection: a page, an email, or a document can carry “malicious instructions that might be hidden from you but visible to the AI agent.”1

A four-node agent loop drawn as a diamond that cycles clockwise: Read the page, then Decide the action, then Click and type, then Read the result, then back to Read the page (the return arrow is labeled 'then goes again'). The Read the page node is highlighted as the point where instructions enter; a muted caption beneath it reads 'where orders enter.' Two arrows feed into that Read node from the left. The first is neutral, labeled 'Your task,' with the example instruction 'find me three plumbers and get quotes.' The second is drawn in alert red and labeled 'The page's hidden text,' quoting Google's own description of prompt injection: instructions 'hidden from you but visible to the AI agent' (Google's own words). Both arrows converge on the same Read node, showing that the agent receives your task and the page's hidden instructions through the same channel and acts on both, unable to tell them apart. The bottom line reads: 'To an agent, a web page is untrusted input that can rewrite the job midway.' This is a conceptual diagram, not data; no measured numbers appear.

The examples are Google’s own. A booby-trapped page could tell the agent to take your private information from your emails and post it on a public website, or to send your Gmail to an outside address without you knowing.1 You never see the text. The agent reading on your behalf does, and it was built to follow instructions.

If that pattern sounds familiar, it’s the same attack we walked through with a poisoned calendar invite: text you never read, aimed at the assistant that reads for you. The difference now is the stakes. Injection used to mean leaked data. Aimed at an agent that can act, the same hidden text can spend your money, send your mail, and sign in as you. And when the page is a storefront, even honest sales copy can steer the agent: the site is written by someone who wants the sale. We unpack that quieter problem in whose side is your shopping agent on.

To an agent, a web page arrives as instructions it can’t tell from your own, and any line of it can rewrite the job midway.

Google built guardrails, then told you they are not enough

Google did not ship this blind. Auto browse is built to pause and ask before the consequential moves: starting a task, sending communications, modifying your data, submitting web forms, scheduling events, or touching sites with sensitive financial or health data, and to hand the wheel back to you to finalize a financial transaction.1 It also tries to keep its activity to sites relevant to your task, so a detour onto a hostile page has less to grab.1

Then Google says the quiet part in plain type. In its own help docs, “Monitoring your tasks is the most important way to protect against risk,” and those safeguards “don’t guarantee protection against all risks.”1

Read that as the design telling you the truth. On today’s version, the human in the chair is the safety system.

Give Google credit for writing that down, because it may be the most useful sentence in the documentation. It changes what “approve” is supposed to mean. The confirmation prompt is only a control if you actually read what it’s about to do before you tap yes.

Keep the errands small and stay in the chair

  • Only launch what you’d watch end to end. If you wouldn’t sit through it, don’t start it. Your attention is what keeps it safe.
  • Sign out of what you can’t afford to lose control of first. An agent can’t spend from a bank tab that isn’t logged in, or empty an account it can’t reach.
  • Read every confirmation before you approve it. The pause protects you only if you use it to look. A rubber-stamped prompt is no prompt at all.
  • Keep it off pages and accounts you don’t trust. The more sensitive the tab, the more a hostile page can turn the agent’s access against you.
  • On the newest-phone OS preview, the same rule holds. It’s scoped to food, grocery, and rideshare and it asks for a final confirmation, so give that confirmation on purpose.5

The shift here is that the same intelligence now carries the loop all the way to the click: it reads the page, decides, and acts. And the reliability question for anything that can act is always the same: how far can one wrong move reach, and what stops it. That’s the whole subject of our research desk’s playbook for reliable AI agents in production: the same containment thinking a company applies to its own agents is the thinking you now apply to the one in your browser. Keep the blast radius small, and keep watching.

Footnotes

  1. Google Chrome Help, “Ask Gemini in Chrome to complete tasks for you with auto browse.” Auto browse working across open tabs, sharing your info with sites, and using Google Password Manager; the confirmation-before-certain-actions list and the take-over step for finalizing financial transactions; the prompt-injection definition and examples; the “restricts its activity to the websites and actions relevant to your task” scoping; the “monitoring your tasks is the most important way to protect against risk” and “don’t guarantee protection against all risks” statements; and the US, 18-or-over, AI Pro / AI Ultra, desktop-only availability: https://support.google.com/chrome/answer/16821166 2 3 4 5 6 7 8

  2. Google, “The new era of browsing: Putting Gemini to work in Chrome.” Auto browse rolling out in preview for AI Pro and AI Ultra subscribers, available on Windows, MacOS, and Chromebook Plus in the US; the pause-and-confirm behavior before actions like making a purchase or posting on social media; Google Password Manager sign-in; and “entirely new defenses to help protect you from new types of online threats”: https://blog.google/products-and-platforms/products/chrome/gemini-3-auto-browse/

  3. Google, “Introducing Google AI Ultra: The best of Google AI in one subscription.” Google AI Ultra launch price of $249.99/month in the US: https://blog.google/products/google-one/google-ai-ultra/

  4. Google, “A smarter, more proactive Android with Gemini Intelligence.” The OS-level agent on the Galaxy S26 and Pixel 10 triggered by a long press of the power button, and “Gemini only acts on your command and stops the moment the task is complete. All that’s left for you is the final confirmation”: https://blog.google/products-and-platforms/platforms/android/gemini-intelligence/

  5. Android Developers Blog, “The Intelligent OS: Making AI agents more helpful for Android apps.” UI automation “launching as a beta feature in the Gemini app,” supporting “a curated selection of apps in the food delivery, grocery, and rideshare categories in the US and Korea to start,” and “users are in control while a task is being actioned in the background through UI automation”: https://developer.android.com/blog/posts/the-intelligent-os-making-ai-agents-more-helpful-for-android-apps 2