Piloting Claude for Chrome

I strongly expect that the entire concept of an agentic browser extension is fatally flawed and cannot be built safely.

Today Anthropic announced their own take on this pattern, implemented as an invite-only preview Chrome extension.

To their credit, the majority of the blog post and accompanying support article is information about the security risks. From their post:

Just as people encounter phishing attempts in their inboxes, browser-using AIs face prompt injection attacks—where malicious actors hide instructions in websites, emails, or documents to trick AIs into harmful actions without users' knowledge (like hidden text saying "disregard previous instructions and do [malicious action] instead").

Prompt injection attacks can cause AIs to delete files, steal data, or make financial transactions. This isn't speculation: we’ve run “red-teaming” experiments to test Claude for Chrome and, without mitigations, we’ve found some concerning results.

Their 123 adversarial prompt injection test cases saw a 23.6% attack success rate when operating in "autonomous mode". They added mitigations:

When we added safety mitigations to autonomous mode, we reduced the attack success rate of 23.6% to 11.2%

I would argue that 11.2% is still a catastrophic failure rate. In the absence of 100% reliable protection I have trouble imagining a world in which it's a good idea to unleash this pattern.

Anthropic don't recommend autonomous mode - where the extension can act without human intervention. Their default configuration instead requires users to be much more hands-on:

• Site-level permissions: Users can grant or revoke Claude's access to specific websites at any time in the Settings.
• Action confirmations: Claude asks users before taking high-risk actions like publishing, purchasing, or sharing personal data.

I really hate being stop energy on this topic. The demand for browser automation driven by LLMs is significant, and I can see why. Anthropic's approach here is the most open-eyed I've seen yet but it still feels doomed to failure to me.

I don't think it's reasonable to expect end users to make good decisions about the security risks of this pattern.

Tags: browsers, chrome, security, ai, prompt-injection, generative-ai, llms, anthropic, claude, ai-agents

As a moderate, semi-dangerous San Francisco liberal, The Ezra Klein Show is required listening. The Vox co-founder and New York Times opinion contributor brings on smart guests to talk about smart things. At the end of every episode Ezra asks his guests this question:

“What are three books you’d recommend to the audience?”

Every time I listen to the show I think to myself: “I should write these down! I’m always looking for good non-fiction books to read, and these seem interesting!” Now, the Times does the Right Thing by including all of those book recommendations in the RSS feed, and linking to them on their site. But I’m lazy, and I wanted them all in one place.

So I put them all in one place: 3books.net.

• Built with Claude Code, hosted on Vercel & Neon, with book data from ISBNdb.
• The system parses the RSS feed from the Times, and uses GPT 3.5 to pull out the recommended books, and write little bios of the guests. Stuffs all that into the database.
• It looks up the books in ISBNdb, grabs some metadata about the books, stuffs all that into the database.
• The system does the best it can to associate a single book across multiple episodes (The Origins of Totalitarianism has been recommended in seven episodes!).
• The processing isn’t perfect! Sometimes it will include a book written by the guest! I’m OK with that.
• The home page shows the books recommended in recent episodes (and skips any episodes that don’t have book recommendations), detail pages for books and episodes show, well, details.
• I’ve started doing some basic “recommended with:” pivots on books, so you can see what other books have been recommended alongside the one you’re currently viewing.
• Search sort of works! It’s not fancy.
• I like the “random book” and “random episode” features.
• The system currently has about 1300 books across nearly 500 episodes. I want to explore more ways to browse this corpus; it’s a tidy little dataset.

I like projects, I like books, I like podcasts, I like RSS feeds. I think I would like Ezra Klein! Seems like a nice guy. (Hmmm, is all of this just an extreme case of parasocial fan behavior? Yikes.)

And I love making software. Making software with Claude Code has been a very interesting experience. I’ve gone through all the usual ups and downs – the “holy shit it worked” moments, the “holy shit the robot is a f’ing idiot” moments, the “wow, you really are a stateless machine without any memory, aren’t you” moments. But it’s super fun and incredibly empowering to have what Josh Brake calls “an e-bike for the mind” at your beck and call.

The site isn’t perfect, and there’s still more that I want / need to do. But if it’s good enough to buy a domain name for, it’s good enough to share.

So, go. Browse. Find a good book to read! Let me know what you pick.

When you vibe code, you are incurring tech debt as fast as the LLM can spit it out. Which is why vibe coding is perfect for prototypes and throwaway projects: It's only legacy code if you have to maintain it! [...]

The worst possible situation is to have a non-programmer vibe code a large project that they intend to maintain. This would be the equivalent of giving a credit card to a child without first explaining the concept of debt. [...]

If you don't understand the code, your only recourse is to ask AI to fix it for you, which is like paying off credit card debt with another credit card.

— Steve Krouse, Vibe code is legacy code

Tags: vibe-coding, ai-assisted-programming, generative-ai, steve-krouse, ai, llms

Since 2012 Brooklyn-based photographer Will Ellis has been documenting eerie abandoned locales in New York City in his ongoing photo series Abandoned NYC. The series has taken Ellis to all five boroughs, including a decaying mental hospital in Queens and an abandoned dormitory in Staten Island. Ellis has distilled 150 photos from the series into a photo book (available from the author and from Amazon). Ellis will be discussing New York City’s abandoned spaces in a lecture at the New York Public Library on May 7, 2015.

photos by Will Ellis

via Ufunk.net

The FloWave wave and current research tank demonstrates the wide variety of waves it can generate in this fascinating short video from 2014–the water spouts are particularly impressive. Located at the University of Edinburgh, the 82-foot diameter tank features an unusual circular design that allows waves and currents to be directed in any direction. A ring of 168 wave generators line the edge of the tank, while 28 flow-drive units can generate currents of over 13 MPH. The tank is primarily used to test scale models of devices intended for use in water.

via Digg

It’s by Ramona Emerson (not pictured), one of the best writers of all time:

The weird thing about working all day everyday is that you’re going to die. and when you die you’re dead forever. Like who is the person who said, “I know. Five days will be for work and two days will be for brunch and everything else good.” That person must have hated people. And the thing is we just go along with it like there’s some kind of biological imperative to work five days a week. Like evolutionary psychology could be made to explain it just like it is made to explain everything that no one wants to deal with. You’re 28 and salad is the best part of your day. 

People have such weird ideas about work. If you told your mom you hated your boyfriend and he made you want to die, she would be like, “Break up with him!” But if you told your mom that you hated your job and it made you want to die, she’d be all, “Maybe you need to adjust your expectations.”

Offices are so strange. It’s so hard to know what’s going on in them. Are other people  working? It’s impossible to say since for a lot of people working has become indistinguishable from fucking around on the internet.

Read on for lots more, including bathroom sex fantasies and spinach and goat cheese salad.

[Photo by MCC]