A new study highlights how agentic AI browsers can be tricked by scams that many human users would flag, including fake retail sites, phishing emails and prompt injection traps.
Guardio’s tests on Perplexity’s Comet
The report, titled “Scamlexity,” comes from cybersecurity startup Guardio, which makes a browser extension aimed at real-time scam detection. According to Engadget, the researchers used Perplexity’s Comet AI browser as their test subject, describing it as the only widely available agentic browser at the time of testing.
Guardio created a fake website impersonating Walmart and instructed Comet to purchase an Apple Watch from it. The browser proceeded despite telltale signs, including a distorted logo and suspicious URL, and completed the checkout process, handing over financial details. In a separate trial, the team sent a phishing email spoofing Wells Fargo that linked to a real phishing page. Comet opened the link without warning and entered a bank username and password on the site.
Prompt injection also proved effective
A third experiment showed Comet responding to a prompt injection embedded in a phishing page, where a concealed text box directed the AI to download a file. The study frames these outcomes as evidence that agentic systems can be steered into harmful actions when they lack contextual judgment and rely on following instructions.
Broader implications for agentic AI
The findings suggest that agentic AI may be vulnerable not only to novel scams but also to long-standing tactics that exploit inattentiveness or misplaced trust. Engadget’s report notes that if a human prompter overlooks red flags, the agentic browser is unlikely to act as a safeguard and may instead carry out risky steps as requested.
This comes as major companies move ahead with agentic browsing tools. Engadget cites Microsoft’s work to add Copilot to Edge, OpenAI’s Operator announced in January, and Google’s Project Mariner, which has been in development since last year. The report warns that without stronger scam detection built into these systems, agentic AI could become a significant blind spot or even an additional avenue for attackers.
Guardio’s study centered on a single product and controlled scenarios, but its tests underscore the need for robust protections when delegating tasks like email summarization or online purchases to autonomous browsing agents.
