Is Claude in Chrome Safe? The Permissions It Asks For, Explained

Anthropic's official Chrome extension — "Claude in Chrome" — does something most extensions don't ask permission to do: it can read every page you visit, type into forms, click buttons, and navigate websites on your behalf. That power is the whole point. It's also the whole risk.

If you're considering installing it (or already did), the right question isn't "is Claude trustworthy?" — Anthropic is one of the more conservative AI labs. The right question is: what does the extension see, what leaves your browser, and what setting controls that?

This is the straight answer, based on the permissions declared in the Chrome Web Store listing, Anthropic's own documentation, and a careful read of the extension's behavior.

What Claude in Chrome Actually Does

Claude in Chrome is an agentic browser extension. When you ask Claude to do something in the side panel, it can:

• Read the content of the page you're on
• Click links, buttons, and form controls
• Type into input fields
• Navigate to new URLs
• Take screenshots of what it's about to act on (so you can review)
• Wait for pages to load before acting next

This is fundamentally different from a chatbot side panel. ChatGPT's or Gemini's standard sidebar extensions read the page you're viewing and let you chat about it. Claude in Chrome operates the browser — it can use your logged-in sessions on Gmail, Notion, Salesforce, your bank, anywhere.

That's an enormous capability surface. It's also exactly the kind of capability where permissions matter.

The Permissions Claude in Chrome Requests

Pulled directly from the extension's manifest.json (visible in the Chrome Web Store listing), Claude in Chrome declares:

Permission	What it unlocks
tabs	List open tabs, see their URLs/titles, switch between them
activeTab	Read content of the current tab when you invoke the extension
scripting	Inject JavaScript into pages to read/modify content
host_permissions: <all_urls>	The above, on every URL you visit
sidePanel	Run the chat UI as a side panel instead of a popup
storage	Save your settings, conversation history, preferences locally
notifications	Display system notifications

The headline is host_permissions: <all_urls> combined with scripting. That combination means the extension can, technically, read and modify any page you visit — your bank's session, your email, internal company tools, anything.

The Incogni January 2026 study of 442 AI Chrome extensions found that 42% of all AI extensions request the scripting permission — so Claude isn't an outlier in asking. The question is what it does with that ask.

What Stays Local vs What Goes to Anthropic

Here's the data-flow that actually matters:

Stays in your browser:

• The extension's settings and preferences
• Local conversation history (if you have it enabled)
• The list of "Allowed sites" you configure
• Cookies and session state for sites you visit (the extension uses your existing logins; it doesn't proxy them)

Goes to Anthropic when Claude is actively working:

• The text content of the page Claude is reading
• Screenshots of the active page (so Claude's vision model can decide what to click)
• The DOM structure of forms it's filling
• Your prompts and Claude's responses
• Metadata about the actions Claude is taking

The key fact most people miss: even when the side panel is closed, the extension is not continuously reading your pages. It's permission-gated to act when you invoke it. But once you ask Claude to "summarize this page" or "fill out this form," the page content does leave your machine.

That's not unique to Claude — it's how every agentic AI extension works. There's no model running in your browser that's smart enough to do this; the work happens at Anthropic's data center. If you don't want that data to leave, the only option is to not invoke Claude on that page.

The Lock-Down Setting Most Users Miss

Claude in Chrome ships with a permission model that defaults to allow on every site. There's a setting that flips this, and most users never find it:

1. Open chrome://extensions/
2. Click "Details" under Claude in Chrome
3. Scroll to "Site access"
4. Change "On all sites" to "On specific sites" and add only the domains you want to allow

Alternatively, inside the extension's settings:

1. Open the Claude side panel
2. Settings → "Claude in Chrome"
3. Change "Default for all sites" from "Allow extension" to "Block extensions"
4. Add specific domains under "Allowed sites"

This converts Claude in Chrome from "potentially everywhere" to "only where you explicitly opted in." For most use cases (research workflows, Drive automation, Gmail triage), allowlisting 5–10 sites is plenty.

How Claude Compares to Other AI Chrome Extensions

The honest comparison, using the data from the 442-extension Incogni study and our own audit of the top AI extensions:

Extension	Reads page content	Acts on the page	BYOK option	Default scope
Claude in Chrome	Yes (when invoked)	Yes (full agent)	No	All sites
Gemini in Chrome	Yes	Limited	No	All sites
ChatGPT (official sidebar)	Yes	No (chat only)	No	All sites
Microsoft Copilot	Yes	Limited	No	All sites
BYOK extensions (e.g. Prompt Anything Pro)	Yes (when you select text)	No	Yes	All sites

Claude is the most powerful of these (it's a real agent), and it's also the one with the broadest "what could it do" surface. The mitigation is the allowlist setting above — use it.

When You Should and Shouldn't Use Claude in Chrome

Good fits:

• Long-form research where Claude opens multiple tabs and pulls information from each
• Repetitive form filling from a source document
• Email triage and drafting in Gmail
• Doc organization in Google Drive
• Customer support conversation analysis

Bad fits:

• Sites with sensitive financial actions (your bank, brokerage, accounting software)
• Internal company tools where data flow to a third party is policy-prohibited
• Anything involving personal medical, legal, or HR data
• Sites with logged-in sessions you don't want a third party seeing the DOM of

The middle ground: if you want chat-on-any-page UX without the agentic actions and the always-on-Anthropic data flow, a bring-your-own-key AI extension like Prompt Anything Pro gives you the side-panel-chat experience with your own API key going directly to the LLM provider of your choice (Claude, GPT, Gemini). The data still leaves your browser to the LLM provider — that's unavoidable — but you control which provider and which API key, and there's no Anthropic-side relationship to manage.

Verifying What the Extension Is Actually Doing

If you want to audit Claude in Chrome's behavior yourself:

1. Open Chrome DevTools (F12) → Network tab → filter "claude.ai" or "anthropic.com"
2. Watch the requests as you use the extension. You should see API calls only when you actively invoke Claude — not continuously.
3. Check what's in the request body — page content, screenshots, your prompts.
4. Look at the extension's source — install it, then chrome://extensions/ → "Inspect views: service worker" to see the actual code.

If you see continuous background traffic when you're not using Claude, something's wrong. We've verified Anthropic's extension behaves correctly on this point.

Frequently Asked Questions

Does Claude in Chrome work offline?

No. The extension is a thin UI that talks to Anthropic's API. Without internet access, the side panel will open but no responses will generate. The "thinking" happens at Anthropic's data center, not in your browser.

Is the Claude Chrome extension free?

The extension itself is free to install, but it requires a Claude paid plan (Pro, Max, Team, or Enterprise) to use the agentic browsing features. Free Claude accounts can install the extension but can't use the browser-control capabilities. As of mid-2026, Pro is $20/month.

Can Claude in Chrome see my passwords?

Technically, with the scripting permission and <all_urls> host access, it could read input fields including password fields. In practice, the extension doesn't extract password values during normal operation. The mitigation is the allowlist setting — block the extension by default on banking and other sensitive sites where you don't need agentic capabilities.

Does Claude train on what I do in the extension?

Anthropic's commercial terms (Pro, Max, Team, Enterprise) state they don't train on customer prompts and responses by default. The extension falls under those terms. If you're on a free account using the extension's limited capabilities, the standard consumer terms apply, which do allow training on conversations unless you opt out.

Is there a way to use Claude in Chrome without the data leaving my browser?

No — at least not as the extension is currently designed. Claude's intelligence runs at Anthropic's servers, so any task you give Claude has to send the relevant page content there. If you want the side-panel chat UX with full data control, look at BYOK extensions where you choose the LLM provider and the data path goes from your browser directly to that provider with your own API key, with no intermediary.

How is "Claude in Chrome" different from "Claude Code in Chrome"?

Claude Code is Anthropic's CLI/IDE-integrated coding assistant. The "Claude Code in Chrome" integration lets Claude Code use your browser as a tool — clicking, scrolling, reading pages — to complete coding tasks that involve web interactions. Claude in Chrome (the consumer extension) is the same browser-control capability but accessed through the side panel chat UI directly, not via Claude Code's CLI. Same underlying tech, different entry point.

Key Takeaways

• Claude in Chrome is more capable than other AI extensions — it can act on pages, not just chat about them.
• The permissions it asks for are real — <all_urls> + scripting is the full read/write/act surface.
• Anthropic's API gets your page content when you actively invoke Claude. It doesn't run continuously.
• The "Block extensions by default" setting is the single most important configuration — flip it, then allowlist only the sites where you want agentic capability.
• For sensitive sites (banking, HR, internal tools), don't enable Claude there. Use it for research, email triage, and document workflows where the data leaving your browser is acceptable.
• If you want chat-on-any-page UX without the agentic surface or the always-on-Anthropic data flow, a BYOK extension is the architecture you want.

The extension is well-built and Anthropic has been transparent about how it works. The risk profile isn't hidden — it's documented. The mistake users make is installing it on all sites by default and never coming back to lock it down. Don't make that mistake.