Why have we forbidden agentic browsers at MarsBased?

Agentic browsers are untamed. A diamond in the rough. As such, they need polishing before we fully utilise them in a safe way. In the meantime, we are not using them at MarsBased.

AI-powered browsers, like Perplexity's Comet or OpenAI's Atlas, are changing the way we interact with the web. But as they become more capable, they also open the door to new cybersecurity threats. In fact, Gartner cautioned against the usage of agentic browsers at large, but especially so "Organizations with low risk tolerance may need to block AI browsers for the longer term".

Artificial Intelligence is rapidly transforming our day-to-day. We have been actively using AI tools for many years now (Raycast, Riverside, Gemini, ChatGPT, Claude, etc) and we've also been developing AI projects for others since we decided to invest in AI as a business line in the company. The rise of agentic browsers made us want to try these tools as well to see if we could optimise certain workflows to make us more efficient at coding. By "outsourcing" or delegating non-coding tasks to agents, we could maximise the time we spend writing code and thinking through the best way to architecture the projects we build for our clients.

Agentic browsers allow users to ask AI questions about open tabs, analyze websites, and even perform tasks like filling out forms, making purchases, or managing data online. I personally use them to analyse our website and give us way to improve it, and to compare it to competition, but there are millions of uses you could try.

They promise to save time and make browsing more seamless, allowing you to multitask even more. However, these capabilities also come with significant security concerns.

The hidden risks of agentic browsing

Recent research has revealed that malicious prompts can be embedded in a website's code to manipulate these AI agents. Once triggered, these prompts could:

• Reveal passwords or sensitive client data
• Make unauthorized purchases
• Download and execute malware
• Access company files without user consent

The danger lies in how easily an AI agent can be tricked into performing harmful actions, often without the user even noticing. It reminds me of how people injected camouflaged keywords with the same colour as the background of the site to boost SEO, or when JavaScript started popping up in websites doing nasty things to users like blocking their mouse pointer or disabling right-clicks. Most recently, we've seen people doing the hidden text in CVs injecting prompts so the reviewer's ChatGPT account would swallow them whole without noticing.

MarsBased's policy

To protect our team and our clients, the use of agentic browsers is strictly prohibited on any device that has access to passwords, company tools, or client data. This policy will remain in effect until these technologies prove to be secure and enterprise-ready, to avoid breaching the strict security policies of some of our corporate clients like Moody's, Citadel Securities or HP.

At the end of the day, it’s not just browsers. Code Agents, such as Cursor, also interact with online resources and are vulnerable to similar attacks. These tools typically ask whether you trust a domain before making a request, and it's crucial to never click “Accept all” without reviewing it properly.

Since tools like Cursor have access to local terminals, a single permission mistake could expose your computer or repositories to harmful code. For instance, a malicious dependency added to a package.json file could install malware during a routine npm install.

MarsBased recommends configuring Cursor to always ask before applying changes, including installations or updates. You can learn more about permission settings here:

https://docs.cursor.com/es/cli/reference/permissions

AI-driven development and browsing tools have made us better as a team and as a company. But, with great power comes great responsibility. Our cautious approach is not to limit innovation or delay progress, it's to ensure that security always comes first.

Better safe than sorry.