Teardown · 15 min

Inside Comet's trust problem — and the rebuild

An agentic browser is the most powerful and most dangerous form factor in consumer AI right now. Comet can read your tabs, click through sites, and act inside your logged-in sessions — which is exactly why a single successful prompt injection turns "summarize this page" into "drain this account." Comet is the highest-profile product in the category, which makes it the most useful one to take apart.

We took Comet into the Lab to examine the thing that decides whether agentic browsing has a future: the trust model. Here's what it gets right, where it settled, and how we'd rebuild an AI browser that can act on your behalf without becoming the attack surface.

Perplexity CometAgentic browserTeardown · 15 min

01 · The premise

Comet is Perplexity's agentic browser: an AI that doesn't just answer but acts — navigating pages, completing multi-step tasks, and operating inside authenticated sessions on your behalf. After launching at a premium, it moved to free, putting autonomous browsing in a lot of hands. The promise is real leverage: hand off the tedious multi-tab chores and let the agent finish them.

We picked it because the category's entire future rides on one question — can an agent with your privileges be trusted with untrusted web content? — and Comet is where that question is being stress-tested in public.

02 · What they got right

The capability is genuinely impressive. Interpreting the DOM, executing actions, and chaining steps across sites is hard, and Comet does it well enough that the leverage is obvious the first time it completes a real task. Going free was an aggressive, category-defining distribution move. And the underlying answer-engine DNA — synthesizing across sources — is a strong foundation for an agent that has to reason about what it's reading.

When it works and the content is benign, it's a preview of how a lot of web work gets done in a few years. The problem is the "when the content is benign" clause.

03 · Where they settled

The same-origin policy collapses to the quality of the injection defense

The web's foundational security boundary assumes code from one site can't act on another. An agent with your session privileges, taking instructions from page content, quietly dissolves that boundary: independent research shows that across multiple agentic browsers, a successful prompt injection re-enables cross-origin data theft that decades of browser security were built to prevent. The browser's safety is now only as good as its ability to tell your instructions from a webpage's.

Documented, serious exploits

Security researchers (Brave, Zenity, and others) demonstrated indirect prompt injection against Comet — including paths to operating inside an authenticated password-manager session and zero-click compromise via something as mundane as a malicious calendar invite, all while returning normal-looking output to the user. Fixes have been issued, but the pattern is structural, not a one-off bug.

Hidden-instruction surface is enormous

Injection can hide in white-on-white text, sub-pixel fonts, zero-width characters, CSS-positioned content — anything the model reads but the user can't see. In one comparison, an agentic browser blocked a small fraction of malicious pages where traditional browsers blocked roughly half. You can't fully sanitize the open web.

The market and regulators have noticed

A court blocked Comet's agent from acting in Amazon accounts, establishing that user permission to an agent isn't the same as platform authorization — and analysts have advised enterprises to block AI browsers outright over injection risk. Even OpenAI's security leadership has called prompt injection a frontier, unsolved problem. The capability is shipping ahead of the trust model.

04 · The rebuild

You cannot eliminate prompt injection at the model layer. So we wouldn't try. We'd rebuild the browser so that a successful injection can't reach anything that matters — trust becomes an architecture property, not a model promise.

1. Separate trusted intent from untrusted content

The user's instruction travels in one channel; page content is treated as data to be analyzed, never as commands. This is the single most important fix and the one most products skip.

2. Gate every consequential action

Reading is low-risk; acting (sending, buying, changing settings, moving money, cross-origin requests) passes through a policy layer with explicit, scoped permission. Default-deny on the dangerous verbs.

3. Least-privilege, per-task credentials

The agent never inherits your whole logged-in identity. It gets scoped, time-boxed access to the specific thing the task needs, so a hijack can't pivot into your password manager or email.

4. Confirm the irreversible

Anything that moves money, sends a message, or changes credentials requires a human tap — clearly summarized. Friction in exactly the right place.

Job in the agent loop	Candidate model	Est. latency	Est. cost / 1k actions	Why
Page understanding / parsing	Fast multimodal / text	~0.5–1.5s	~$2–$8	High volume, every page
Planning / action selection	Mid–top frontier	~2–5s	~$15–$45	Reasoning quality matters
Injection / safety classifier	Small dedicated model	~0.1–0.3s	~$0.20–$1	Runs on all ingested content

Planning-stage estimates, not a benchmark. Note the dedicated safety classifier as its own cheap, always-on layer — defense-in-depth, not a single model asked to both be helpful and police itself.

05 · The 6-week plan

What we'd cut, and how we'd ship it.

Week 1

Threat model & audit

Map every place page content can influence an action; rank by blast radius.

Week 2

Trust-channel separation

Split user intent from page content at the architecture level. Ships first; nothing else matters without it.

Weeks 3–4

Action policy gate

Default-deny on state-changing / cross-origin actions; scoped permissions; least-privilege credential broker.

Weeks 4–5

Safety classifier + confirmations

Always-on injection detection on ingested content; human-confirm on irreversible actions.

Week 5

Red-team

Throw the known injection techniques (hidden text, zero-width, CSS, calendar-invite vectors) at it; fix what gets through.

Week 6

Audit log & ship

Full action logging, user-visible activity trail, release.

06 · The verdict

Twelve months out, agentic browsing is too useful to disappear and too dangerous to ship the way it's shipping now. We expect the winners to be defined by their trust architecture, not their capability — the products that treat the open web as hostile by default and build real boundaries around what an agent can do. Regulators and enterprise security teams are going to force this; the only question is who gets there before an incident does it for them.

A remarkable capability sitting on a trust model the web's own security history says can't hold. The fix isn't a smarter model — it's an architecture where a successful injection reaches nothing worth stealing. That's buildable. It's mostly just not built yet.

FAQ

01 Is Perplexity Comet safe to use?+

For passive reading, the risk is lower. For agent mode acting inside logged-in sessions, researchers have demonstrated real prompt-injection exploits; treat high-stakes accounts with caution and keep confirmations on.

02 What is prompt injection in an AI browser?+

Hidden instructions embedded in a webpage that the AI reads and follows as if they came from you — potentially redirecting the agent to leak data or take actions you didn't request.

03 Can agentic browser security be fixed?+

Injection probably can't be eliminated at the model layer, but the damage can be contained by architecture: separating trusted intent from page content, gating actions, and using least-privilege credentials.

04 Why are enterprises wary of AI browsers?+

Because an agent runs with the user's full privileges, a single injection can reach everything the user can — which is why some analysts advise blocking them until the trust model matures.