Agent Data Injection: An arbitrary click attack against web agents
By planting a single fake product review on a shopping page, we made three web agents, Claude for Chrome (Anthropic), Antigravity (Google), and Nanobrowser, click buttons their users never intended. On Claude for Chrome, a request as harmless as "summarize the reviews on this page" ended with a one-click order placed for a product the user never asked for, and it still works on the latest models, including Claude Opus 4.8.

This is essentially an XSS-like attack on web agents. Any website that shows user-generated content becomes an attack surface, exploitable from an ordinary account with no special access. The click-hijack is one instance of a broader class of vulnerability we call Agent Data Injection (ADI), in which attacker-controlled data is misread by the agent as trusted data.
