Opus 4.8's system card puts a number on browser-agent prompt injection: 31.5%

What is this?

On May 28, 2026, Anthropic released Claude Opus 4.8 alongside a 244-page system card that measures the model’s behaviour across four agentic surfaces: web browsing, code writing, agent-to-agent coordination, and external tool use. The line item that drew attention is a single number. When red-teamers pointed adversarially crafted web content at the browser agent, they hijacked it 31.5% of the time — before safeguards. That is a measured prompt-injection success rate against the raw model, disclosed by the vendor in its own pre-deployment report.

The number itself is not the story; the disclosure is. As several outlets noted, this is the only concrete prompt-injection metric a frontier lab put on the record this spring. Per Crypto Briefing’s read of the cards, OpenAI reported on a single surface (connectors), Google moved the topic into a separate safety-framework document, and Meta shipped no closed-model card at all. We are covering it because a published baseline susceptibility number is exactly what defenders need — and rarely get.

How it works

A browser agent is an LLM granted a loop of read the page → decide → act (click, fill, call a tool, fetch a URL). Prompt injection in this setting means hostile instructions embedded in content the agent reads — a web page, a tool response, a file, an API payload — are interpreted as commands rather than data. Because the agent’s output feeds an action layer, a successful injection moves from “wrong text” to “wrong action”: navigating to an attacker URL, exfiltrating page content, or chaining a tool call. This is the lethal trifecta pattern — untrusted input, private data access, and an exfiltration channel — instantiated in a browser.

The 31.5% figure is a pre-safeguard measurement. It reflects the model’s intrinsic tendency to follow injected instructions with no defensive layer active. No payloads are reproduced here; the methodology that matters is the framing:

Measurement                          What it tells you
-----------------------------------  ------------------------------------------
Pre-safeguard hijack rate (31.5%)    Raw model susceptibility — the worst case
                                     your guardrails must absorb
Post-safeguard rate (production)     Residual risk after filtering, monitoring,
                                     egress controls and approval gates
Capability score (Online-Mind2Web    How deep a successful injection can reach:
84%, per Anthropic)                  a more capable agent carries a bad
                                     instruction further into real systems

Two things make the baseline meaningful. First, capability and susceptibility rise together: Anthropic reports Opus 4.8 at 84% on Online-Mind2Web, its strongest browser-agent result, which means a hijacked session can do more before anything stops it. Second, production deployments are not the raw model — Anthropic states real deployments add guardrails, monitoring and filtering that reduce real-world exploit rates. The honest read is that 31.5% is the load your containment architecture has to carry, not the rate you ship.

Why it matters

For defenders, a vendor-published pre-safeguard number changes how you specify an agent deployment. A baseline susceptibility figure lets you reason about residual risk instead of guessing: if the raw model follows injected instructions roughly one time in three, your guardrails, egress controls and approval gates are doing the heavy lifting, and they need to be evaluated as such.

It also reframes procurement. A capability headline (84% task completion) and a susceptibility headline (31.5% pre-safeguard hijack) describe the same model and must be read together — more autonomy plus a non-trivial injection rate means a single poisoned page can travel further. And the cross-lab transparency gap matters on its own: when only one vendor publishes the number, buyers cannot compare browser-agent security postures, and “no disclosure” should not be mistaken for “no susceptibility.”

Defenses

The pre-safeguard rate is a reminder that model-level resistance is a layer, not the perimeter. Treat any browser agent as confusable and architect around it.

1. Control egress, not just input. Assume some injections will land. Restrict where the agent can send data: allowlist outbound domains, block arbitrary URL fetches with embedded data, and require explicit approval for any cross-origin or cross-system action.

2. Scope credentials and sessions tightly. Short-lived tokens, narrow OAuth scopes, isolated runtimes, and no persistent sessions. A hijack in a tightly scoped environment is a contained test result; the same hijack with broad file or repo access is an incident.

3. Gate high-impact actions. Put human-in-the-loop approval in front of irreversible or sensitive steps — sending data, executing trades, writing to production, deleting files. The browser agent can propose; a person or policy engine confirms.

4. Separate untrusted content from instructions. Apply contextual integrity and information-flow controls: label page content and tool output as data, and never let it escalate to the instruction channel that drives actions.

5. Demand post-safeguard numbers. When evaluating any agent, ask the vendor for the residual hijack rate after their defenses, plus containment-escape and incident-handling data. A pre-safeguard baseline is the start of the conversation, not the answer.

6. Log and review the action stream. The audit trail — what the agent decided and did — is what turns a failed model decision into a caught test rather than a silent breach.

Status

Item	Reference	Date	Notes
Claude Opus 4.8 release	Anthropic	2026-05-28	Same price as Opus 4.7; available everywhere
System card (244 pp.)	Anthropic	2026-05-28	Four agentic surfaces: browse, code, agent-to-agent, tools
Browser-agent pre-safeguard hijack rate	System card	2026-05-28	31.5%, raw model, before defensive layers
Online-Mind2Web capability	Anthropic	2026-05-28	84% — strongest browser-agent result reported
Coverage / transparency-gap analysis	Crypto Briefing, WinBuzzer	2026-06-01 → 2026-06-02	Only frontier lab to publish a concrete number this spring

The takeaway is not “Claude’s browser agent is unsafe” — every browser agent is susceptible, and most vendors simply did not publish a number. The takeaway is that 31.5% is the size of the problem your containment layer must solve, and that a published pre-safeguard baseline is the kind of artifact security architects should be asking every agent vendor to provide.