The Most Common AI Browser Extensions (and Their Risks)
- AI browser extensions are among the stealthiest forms of shadow AI, because they install in seconds, live inside the browser employees already trust, and rarely appear in any inventory.
- The common categories are writing assistants, ChatGPT-style sidebars and copilots, page and video summarizers, meeting notetakers, and research or prospecting helpers.
- The core risk is permission scope: many AI extensions request the ability to read and change data on all the websites you visit, which quietly covers webmail, CRMs, admin consoles, and internal tools.
- Whatever the extension reads is typically sent to a third-party model, so page content, customer records, and even authenticated session data can leave the organization without a paste or an upload.
- Because these extensions inject a model into the page and act on its content, they open an indirect prompt injection path - a malicious page can carry instructions the assistant follows.
- This reference names real, well-known extensions and categories without inventing install counts; use it to recognize what to look for, then discover what is actually present on your endpoints.
Of all the ways AI enters an organization, the browser extension may be the quietest. There is no app to install, no account for procurement to review, no obvious footprint - just a click in a web store and a new icon in the toolbar. Within seconds an employee has added a generative model to the browser they use for everything, and that model can now see the pages they open. AI browser extensions are, for that reason, one of the most overlooked corners of shadow AI. This guide is a reference to the most common ones, organized by what they do, and a clear look at the risks each category carries.
As with any discovery reference, the goal is recognition, not a leaderboard. We name real, well-known extensions and categories so you know what to look for, and we deliberately do not cite install counts or market-share figures we cannot verify honestly. For where this fits in the wider picture, see what is shadow AI, and for the AI apps that live in their own tabs rather than in the browser chrome, see top AI apps used in enterprises.
Why the browser is a uniquely risky place for AI
A standalone AI app only ever sees what a user deliberately gives it. A browser extension is different in kind. To do its job, an AI extension typically asks for permission to read and change data on the websites you visit, and users grant it in the same reflexive click they use for any install. That single grant applies everywhere the browser goes: your webmail, your CRM, your cloud provider's console, your ticketing system, your internal admin tools. The extension does not distinguish between a public blog and a page full of customer records - if it can read the page, all of it is in scope.
Layer an AI model onto that access and the picture sharpens. The extension does not just observe the page; it sends page content to a third-party model to summarize, rewrite, or answer questions about it. So the sensitive material on an internal page can leave the organization with no paste and no upload - just by being on screen while the assistant is active. And because the model reads whatever is on the page, a hostile page can try to talk back to it. Three risks compound here: ambient access, third-party data flow, and content-driven manipulation.
The common categories and what they can access
The most useful way to reason about AI extensions is by category, because the category predicts both the access requested and the data that flows. The table below maps the common types to real, recognizable examples, what they can typically access, and the primary risk.
| Extension type | Example extensions (real names) | What it can typically access | Primary risk |
|---|---|---|---|
| Writing assistants | Grammarly, Wordtune, Compose AI, QuillBot | Text you type into fields across most or all sites, including webmail and internal apps | Draft emails, documents, and messages are sent to a third party for analysis or rewriting |
| ChatGPT-style sidebars / copilots | Sider, Monica, Merlin, MaxAI, Harpa AI | Full content of the current page; ability to inject an assistant panel on any site | Whole pages - including sensitive internal ones - are eligible to be sent to a model |
| Page & video summarizers | Summarizer and 'summarize this page/video' extensions, YouTube summary tools | Page text or video transcript of whatever you are viewing | Confidential documents opened in the browser are transmitted and summarized externally |
| Search & answer helpers | Perplexity extension, ChatGPT-for-search style add-ons | Your queries and the pages returned or opened | Search intent and page content leak; results may be shaped by untrusted sources |
| Meeting notetaker companions | Otter, Fireflies, and similar browser companions | Tab audio and on-page meeting content in the browser | Internal and customer conversations are recorded and stored with a third party |
| Research & prospecting | Sales and research assistant extensions | Profile pages, CRM records, and site data as you browse | Customer and prospect PII is collected and sent to external services |
The three risks, in detail
1. Over-broad permissions
The permission most AI extensions request - read and change all your data on the sites you visit - is the root of the problem. It is granted once, at install, in the space of a click, and then it applies silently and permanently to every site the browser touches. There is no per-site prompt reminding the user that the extension is now reading their bank portal, their HR system, or a page of production data. Even a well-intentioned extension with this grant is a large standing attack surface, because a later compromise of the extension, its publisher, or an update it ships inherits all of that access. This is the browser version of the over-privilege problem we cover in least privilege for AI agents.
2. Data sent to third parties
An AI extension is, by design, a pipe to an external model. Whatever it reads to be useful - the email you are drafting, the document open in a tab, the customer record on screen, the meeting transcript - is eligible to be transmitted to that model's servers. Where the content is retained, whether it is used for training, and which subprocessors touch it all depend on the specific product, plan, and settings, and most employees never check. The result is a continuous, low-visibility egress channel that traditional controls miss: this is exactly the gap that DLP for AI agents explains, since content leaving through an extension's own encrypted channel often does not look like a classic exfiltration event. The employee-behavior side is covered in shadow AI data exposure: what employees paste.
3. Prompt injection through page content
The subtlest risk is specific to AI extensions. Because the extension feeds page content to its model to summarize or answer questions, any instructions embedded in that page can be read by the model as commands. A malicious or compromised web page can carry hidden text that tells the assistant to reveal data it can see, follow a link, or take an action on the user's behalf. This is indirect prompt injection, and the extension is the delivery vehicle - the assistant is doing exactly what it was built to do, reading the page, but the page is now adversarial. See indirect prompt injection explained for how the class works and why it is hard to fully prevent.
Extensions change under you
A one-time review of an extension is not enough, for two reasons. First, extensions auto-update, so the code you approved is not necessarily the code running next week - a benign extension can gain new behavior or new data flows in an update no one notices. Second, ownership changes: extensions are bought and sold, and a popular one can pass to a new publisher whose intentions differ from the original author's. Both are well-documented patterns in the browser ecosystem generally, and they apply with extra force to AI extensions because of the access they already hold. The practical implication is that governance has to be continuous - you need to know not just what was installed, but when it changed.
Controls that actually work
The instinct to block everything is understandable but usually counterproductive: a blanket ban with no sanctioned alternative pushes people to personal browsers and profiles where you have zero visibility. A more durable program looks like this:
- Discover first. Enumerate every AI extension installed across your fleet, on every browser and profile, before writing any policy. You cannot govern what you have not listed.
- Review permissions, not just names. Judge each extension by the access it holds - broad host permissions are the signal that matters - rather than by reputation alone.
- Approve a vetted tier. Maintain a short list of reviewed extensions for common needs, so employees have a sanctioned option instead of an unmanaged one.
- Default-deny unknowns in high-sensitivity contexts. For teams that handle regulated or highly confidential data, allow only vetted extensions and block the rest by policy.
- Monitor for change. Treat updates and ownership changes as events to re-review, since a vetted extension can drift into something you would not have approved.
- Separate sensitive work. Where feasible, keep internal admin tools and regulated data in a browser profile with no AI extensions attached.
The full control set, including how browser AI risk relates to the broader agent surface, is in browser AI security risks and controls.
How Anomity helps
The hardest part of governing AI browser extensions is the first part: knowing they exist. They install without IT, live inside a trusted application, and rarely appear in any asset inventory. Anomity closes that gap. Extensions are one of the eight AI artifact types its lightweight, unprivileged Endpoint Sensor discovers across Windows, macOS, and Linux - alongside AI agents, MCP servers, plugins, skills, secrets, hooks, and CLIs. For each managed endpoint, Anomity surfaces which AI extensions are installed, on which browsers, and for whom, giving you the inventory that every control above depends on.
The sensor sends metadata only over HTTPS to the Anomity Cloud - never source code, never prompts, with secrets redacted on the endpoint. Because discovery is continuous, an extension that auto-updates or changes hands shows up as a change event rather than slipping by unnoticed, and every extension added, removed, or modified is recorded in a queryable 90-day audit trail. Violations of policy route to your SIEM, Slack, email, and Jira. Anomity is SOC 2 Type II and complements your existing EDR/XDR, DLP, and network controls by adding the AI-artifact visibility they were never designed to provide. It answers the question those tools cannot: which AI is running inside the browser, and what can it reach.
You can't govern what you can't see.The Anomity principle
The bottom line
AI browser extensions deliver real value, but they concentrate three risks in one small package: standing access to every page a user opens, a built-in pipe to a third-party model, and an injection path through the very content they read. The extensions themselves are legitimate and widely used - Grammarly, Sider, Monica, Merlin, Perplexity's add-on, and their peers are not exotic. What is missing in most organizations is visibility into which of them are installed and what those installs can reach. Start there: discover every AI extension across your fleet, review its permissions, approve a vetted tier, and watch for change. To see your own browser-extension footprint discovered and inventoried, book a 30-minute demo.
Frequently asked questions
What is an AI browser extension?
It is a browser add-on whose function is powered by a generative AI model - a writing assistant, a ChatGPT-style sidebar, a page summarizer, a meeting notetaker, or a research helper. Unlike a standalone AI app in its own tab, an extension runs inside every page you visit, which is what makes it both convenient and risky. It can read the page you are on, insert an assistant into it, and send content to an external model on your behalf.
Which AI browser extensions are most common in enterprises?
Writing assistants like Grammarly and Wordtune; ChatGPT-style sidebars and page copilots such as Sider, Monica, Merlin, MaxAI, and Harpa AI; page and video summarizers; search and answer helpers like the Perplexity extension; and meeting notetaker companions from tools like Otter and Fireflies. We name these as real, recognizable examples rather than a ranked or exhaustive list, and we deliberately avoid citing install counts we cannot verify.
Why are AI browser extensions a bigger risk than standalone AI apps?
Because of where they sit. A standalone app only sees what you paste into it. An extension with broad host permissions can read and modify content on every site you open - including webmail, your CRM, cloud consoles, and internal admin tools - without you actively handing it anything. That ambient access, combined with an external model on the other end, turns ordinary browsing into a continuous, low-visibility data-egress channel.
What does 'read and change all your data on the websites you visit' actually mean?
It is the broad host-permission grant many extensions request at install. In practice it lets the extension see the full content of the pages you load and alter what is displayed or submitted. For an AI extension, that usually means page text is eligible to be sent to a model for summarizing, rewriting, or answering. The permission is granted once, in a hurry, and then applies silently to sensitive internal sites just as much as to public ones.
Can a web page attack an AI extension through prompt injection?
Yes. When an extension feeds page content to its model - to summarize or answer questions about the page - a malicious page can embed instructions crafted to be read as commands. That is indirect prompt injection: the assistant may follow attacker text hidden in the page, potentially exfiltrating data it can see or taking an action on the user's behalf. We explain the mechanism in indirect prompt injection explained.
How does Anomity help with AI browser extensions?
Extensions are one of the eight AI artifact types Anomity discovers and inventories, alongside AI agents, MCP servers, plugins, skills, secrets, hooks, and CLIs. A lightweight, unprivileged Endpoint Sensor on each managed endpoint (Windows, macOS, and Linux) surfaces which AI extensions are installed, on which browsers, and for whom - the inventory most organizations simply do not have. It sends metadata only over HTTPS to the Anomity Cloud, never source or prompts and with secrets redacted on the endpoint, and it records every extension added, removed, or changed in a queryable 90-day audit trail so a quietly updated extension shows up as a change event.
Should we block AI browser extensions outright?
Blocking every unknown extension by default and allowing a vetted set is a defensible posture for high-sensitivity environments, but a blanket ban with no approved alternative tends to push people to personal browsers and profiles where you have no visibility at all. The stronger approach is discover what is installed, review the permissions each one holds, approve a vetted tier, and monitor for change. See browser AI security risks and controls for the control set.




