Google Chrome Expands Gemini and On-Device AI Features, Including New Controls for Scam Detection Models
Google is testing deeper Gemini integration in Chrome via a new internal feature called “Skills,” which appears to let users define named, instruction-based automations that Gemini can execute inside the browser. The feature is surfaced through a new chrome://skills page and aligns with Google’s stated direction of turning Gemini into a more agent-like assistant capable of acting across tabs and, over time, integrating more tightly with Google services.
Separately, Google has added user controls to manage the on-device GenAI model used by Chrome’s Enhanced Protection (Safe Browsing) capabilities, which were previously upgraded with AI for “real-time” detection of dangerous sites, downloads, and potentially malicious extensions. In Chrome Canary, users can disable On-device GenAI under Chrome → Settings → System, which also enables deletion of the local model; Google indicated the local model may support additional security and browser features beyond scam detection as it rolls out more broadly.
How this story unfolded
8 events from the earliest known activity through the most recent confirmed update.
Google upgrades Chrome Enhanced Protection with AI capabilities
Google upgraded Chrome’s Enhanced Protection safe browsing feature with AI capabilities last year, adding real-time protection against dangerous websites, downloads, and extensions, including deeper scanning of suspicious downloads.
Gemini in Chrome begins rolling out on desktop in the US
Google started rolling out Gemini in Chrome on desktop in the United States, where it functions as an in-browser helper for explaining, summarizing, and comparing information across tabs.
Google outlines plan to evolve Gemini in Chrome into an agent
Google previously said it plans to turn Gemini in Chrome into a more agentic assistant over the coming months, with future capabilities such as helping users re-find pages and interact with Google apps without switching tabs.
Google tests Gemini-powered Chrome Skills feature internally
References to an internal chrome://skills page show Google is testing a new 'Skills' capability that would let users define named task instructions for Gemini to execute in Chrome. The feature appears to be under internal testing with no public rollout timeline announced.
Chrome Canary adds option to disable and delete on-device GenAI models
Google Chrome now exposes a user-facing setting in Chrome Canary to turn off 'On-device GenAI,' allowing users to disable and delete local AI models used for features including scam detection. Broader rollout is expected later.
Google begins rolling out Gemini Skills in Chrome to desktop users
Google launched the Chrome 'Skills' feature, allowing users to save Gemini prompts as reusable workflows and run them on the active page or across multiple tabs from the browser side panel. The rollout started for signed-in desktop users on Windows, macOS, and ChromeOS using English, alongside a Skills Library of prebuilt workflows and manual confirmation for sensitive actions.
Google launches Auto Browse and enterprise Gemini controls in Chrome Enterprise
Google announced Chrome Enterprise updates that add Gemini-powered Auto Browse for eligible Workspace users in the US, letting the browser perform multi-step actions across tabs with user approval. The release also brings Skills to Chrome Enterprise and adds new admin security features, including AI usage visibility, risky extension controls, Gemini Summary, Okta-backed session protections, and remote clearing of browsing data on compromised devices.
Report alleges Chrome silently downloads 4GB Gemini Nano model to devices
A report alleged that Google Chrome had been silently downloading roughly 4GB of Gemini Nano on-device model files to Windows, Apple Silicon, and Ubuntu systems without explicit user consent, and would re-download them after deletion. The files were reportedly tied to local Chrome AI features and raised privacy, bandwidth, and compliance concerns.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Google Chrome Is Silently Downloading a 4GB Gemini Nano AI Model to User Devices Without Consent - gHacks Tech News
ghacks.net
Open sourceGoogle brings Auto Browse and Skills to Chrome Enterprise - and a new 'Gemini Summary' | ZDNET
zdnet.com
Open sourceGoogle Chrome Adds Skills Feature to Save and Reuse Gemini AI Prompts Across Tabs - gHacks Tech News
ghacks.net
Open sourceGoogle Chrome tests Gemini-powered AI "Skills"
bleepingcomputer.com
Open sourceGoogle Chrome now lets you turn off on-device AI model powering scam detection
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Chrome Gemini AI Agent Enhanced to Counter Prompt Injection Attacks
Google has acknowledged the significant risk of prompt injection attacks targeting its Gemini-powered Chrome browsing agent, which can be manipulated to perform unauthorized actions such as initiating financial transactions or exfiltrating sensitive data. In response, Google has introduced a second AI model, termed the 'user alignment critic,' designed to independently vet the agent's proposed actions before execution. This model operates in isolation from untrusted web content, providing an additional layer of defense against both goal hijacking and data leakage. The move comes as prompt injection has been identified as a leading vulnerability in AI systems, with industry bodies like OWASP and the UK's National Cyber Security Centre highlighting its prevalence and difficulty to mitigate due to the structural limitations of large language models. The Gemini-powered browsing agent, currently in preview, is capable of navigating websites, clicking buttons, and filling forms while users are logged into sensitive accounts, increasing the potential impact of successful attacks. Security experts and analysts have emphasized the need for robust safeguards, as malicious instructions can be hidden in web pages, iframes, or user-generated content. Google's dual-model approach aims to address these concerns by ensuring that any action not aligned with the user's intent is blocked, thereby reducing the risk of exploitation through prompt injection. The development reflects a broader industry trend of reassessing the security of AI-driven browsers and the need for advanced countermeasures to protect users and organizations from emerging threats.
Mar 21, 2026
Google Expands Gemini Personal Intelligence to Free Users
Google expanded **Gemini Personal Intelligence** beyond paid subscribers, making the feature available to more free U.S. users across **AI Mode in Search**, the **Gemini app**, and **Gemini in Chrome**. The feature connects Gemini to personal Google services such as **Gmail**, **Google Photos**, **YouTube**, and **Search history**—with user permission—so it can provide more contextual, personalized responses instead of generic answers. Reported use cases include shopping recommendations based on prior purchases, travel and layover suggestions tailored to preferences and location, and troubleshooting help informed by a user’s device or purchase history. Google said the capability is **opt-in** and lets users choose which apps and services to connect, with the option to disconnect them later. Coverage of the rollout emphasized the amount of personal context Gemini can access, including email, photos, and search activity, and noted that the feature was previously limited to users paying for Google’s AI subscription. One report highlighted a hands-on test in which Gemini identified vehicle details and recommended tire options and local sellers, illustrating the depth of personalization now being offered to a broader user base.
May 11, 2026
Chrome Gemini Live Panel Hijacking via Malicious Extensions (CVE-2026-0628)
Palo Alto Networks Unit 42 disclosed a **high-severity Google Chrome vulnerability** in the new **Gemini Live in Chrome** side panel, tracked as **CVE-2026-0628**, that could have allowed **malicious browser extensions with only basic permissions** to hijack the Gemini panel and effectively “tap into” the browser environment. The reported impact included **privilege escalation** enabling access to sensitive resources such as the victim’s **camera and microphone**, the ability to **take screenshots of any website**, and access to **local files and directories**. Unit 42 reported responsible disclosure to Google and stated that Google shipped a fix in **early January** ahead of public disclosure. Dark Reading coverage echoed Unit 42’s findings, emphasizing that the flaw highlights emerging risks in **agentic/AI-enabled browsers** where AI side panels run with elevated capabilities, and that enterprise environments face amplified exposure if users install untrusted extensions. Separate reporting described unrelated supply-chain activity affecting developer and browser extensions: Socket reported suspicious, non-repository code added to **Aqua Trivy’s VS Code extension** on **OpenVSX** (versions `1.8.12`/`1.8.13`) that attempted to invoke local AI coding assistants and exfiltrate/report data, while Rescana detailed a **QuickLens Chrome extension** takeover used for credential/crypto theft and a **ClickFix** social-engineering technique; these are distinct incidents from CVE-2026-0628 but reinforce the broader risk of extension ecosystems.
Mar 21, 2026