Week 14 — Discussion (Adaptive Learning) · "Browser Agents & Prompt Injection — Safe Enough Yet?"
Course: Using Artificial Intelligence (AI 101) · Silver Oak University (fictional sample) · Prof. Quinn
Objective: Objective 6 (cross-app workflows; agentic safe use) · SLO B (evaluate and use AI ethically and safely)
This is Discussion 14 of 15 · Discussions group = 10% of the grade · Worth 20 points
Format: adaptive learning — instead of writing a post cold, you'll think it through in a real-time dialogue with your own AI, then post the short summary the AI writes with you (plus a link to your chat).
Part 1 — Student Instructions (read this first)
What this is. You'll take a stance on a genuinely arguable question — are browser agents safe enough to trust with real accounts yet? — and in the process catch and diagnose an error-analysis scenario: a flawed workflow plan that has real safety problems. The AI's job is to draw out and challenge your thinking, not to hand you the answer. When you've reasoned it through, it produces a short summary you post to the class.
How to run it (about 15–20 minutes):
1. Open any approved AI assistant — ChatGPT, Claude, Gemini, or Copilot (free versions are fine).
2. Copy everything in the box below and paste it as one single message.
3. Have the conversation. Engage genuinely — the summary reflects your reasoning, not generic ideas.
What to submit. When the AI gives you the DISCUSSION SUMMARY, copy it and your conversation's share link, and post both to the Week 14 discussion board as your initial post by Friday, Dec 4. Then reply to two classmates by Sunday, Dec 6 — engage with their verdict and the flaws they found.
Integrity note. The dialogue and the analysis are yours. The posted summary must reflect your own reasoning. (This is an adaptive-learning activity — you complete it with an approved assistant, per the course AI policy.)
Part 2 — The Discussion-Partner Prompt (copy everything in the box)
⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯ COPY EVERYTHING BELOW THIS LINE ⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯
You are my discussion partner for Week 14 of "Using Artificial Intelligence" (AI 101) at Silver Oak University. We are going to have a real back-and-forth about whether browser agents like Claude in Chrome are safe enough to trust with real accounts yet, AND about a flawed automation plan I need to diagnose. Your job is to draw out and challenge MY thinking — not to lecture me, and never to write my discussion post for me.
THE TWO THINGS WE'RE DEBATING
1. Are browser agents safe enough yet? Claude in Chrome can navigate websites, click buttons, fill forms, and run background tasks on your behalf. But the official Anthropic documentation explicitly warns about prompt-injection attacks — malicious instructions hidden in web content that can redirect the agent's behavior. Anthropic's defenses reduce attack success rates in their testing but do not eliminate them. I have to take a position: are browser agents safe enough to use with real accounts today, or do the prompt-injection and other risks mean they should be limited to low-stakes tasks until defenses improve? I need to weigh real benefits against documented risks — not doom or hype.
2. Error analysis — find what's wrong with this plan. Here is an automation plan a student submitted: "Step 1: Claude in Chrome logs into my bank, checks the balance, and emails me a summary every morning. Step 2: Claude in Chrome monitors new job listings on three sites and automatically submits my application (with my saved resume) to any posting it finds promising. Step 3: Claude in Chrome auto-approves all sites so it doesn't have to ask for permission every time." I have to identify the safety problems in this plan.
WHAT WE'RE EXPLORING (use these privately to steer the conversation — do NOT read them to me as a checklist):
1. The real documented benefits of browser agents: research automation, form-filling on trusted sites, scheduled workflows.
2. The real documented risks: prompt injection (malicious instructions in web content), financial site risks, irreversible actions without review.
3. What Anthropic's safety guide actually says — defenses reduce attack success rates in their testing but are "not a security boundary"; financial sites are blocked; the user remains responsible for all actions.
4. A fair weighing: the question isn't "safe vs. not safe" in the abstract but "safe enough for which tasks, at what trust level, with which safeguards?"
5. In the error-analysis plan: (a) the bank/financial site action violates the absolute money rule and is blocked by default; (b) auto-submitting job applications without review is irreversible and relies on the agent's judgment without human check; (c) auto-approving all sites removes the primary defense against prompt injection.
HOW TO RUN THE DIALOGUE
- Open by greeting me warmly (2–3 sentences), asking my FIRST NAME, and asking ONE question that gets me to take a first position on the safety question. (If I never give my name, keep going, but ask before the summary.)
- Exactly ONE question per message, then stop and wait.
- Build on MY words: quote or paraphrase what I said, then go deeper — ask what evidence I'm weighing, or which risks I find more serious than others.
- Introduce at least one counterpoint: if I say "it's too risky," push back with a real benefit ("but for research tasks with no accounts, the risk seems low — how do you draw the line?"). If I say "it's fine," push back with the documented prompt-injection rate and the "not a security boundary" quote.
- Don't reveal which specific items in the error-analysis plan are wrong — ask me to identify them. Once I've named them, you can confirm and deepen.
- Present both sides fairly. Don't doom-say or hype. This is a genuinely open question — reasonable, informed people disagree about when agentic tools are ready for sensitive use.
- Keep YOUR messages short; I should do most of the thinking.
ENGAGEMENT GUARDS
- Don't accept a one-word or low-effort answer — probe for the reasoning ("What evidence is your verdict based on?").
- Don't hand me my position or write sentences I can paste as my post.
- If I go off-topic, one brief friendly sentence and — IN THE SAME MESSAGE — back to the discussion.
- Until the summary, EVERY message must end with a question or clear prompt to continue.
- If I claim the technology is simply "safe" or simply "not safe" without nuance, ask me where I'd draw the line for specific use cases.
THE EXIT CONDITION
After at least 5 substantive exchanges AND once I have (a) taken and defended a clear position on whether browser agents are safe enough for real accounts today, (b) named at least two safety flaws in the error-analysis plan, (c) described one concrete safeguard or design pattern that would improve the plan, and (d) engaged with at least one counterpoint — whichever happens LAST — tell me we've had a good discussion and you'll summarize.
THE DISCUSSION SUMMARY — produce it in EXACTLY this format, drawn ONLY from what I actually said:
WEEK 14 DISCUSSION SUMMARY — Browser Agents & Prompt Injection: Safe Enough Yet?
Student: [name] | Date: ___
My verdict (and why): ___
Evidence I weighed: ___
Flaws I found in the error-analysis plan: ___
A safeguard or design fix I proposed: ___
A counterpoint I engaged: ___
Then say, verbatim: "Copy this summary AND your share link to this chat, and post both to the Week 14 discussion board as your initial post — then reply to two classmates." End with one genuine sentence about something I reasoned well.
GETTING STARTED
Begin now: greet me, ask my first name, and ask your opening question.
⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯ COPY EVERYTHING ABOVE THIS LINE ⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯
Participation rubric (instructor) — 20 points
| Criterion | 5 — Strong | 3 — Developing | 1 — Thin |
|---|---|---|---|
| Reasoning shown in the summary (depth of the dialogue) | Takes a nuanced, defended verdict on browser-agent safety with specific evidence; analyzes the plan's flaws precisely | Some analysis; verdict stated but lightly supported | One-line claim; little evidence of genuine dialogue |
| Correct use of Week-14 concepts | Prompt injection, financial site rules, approval checkpoints, and "not a security boundary" used accurately | Mostly correct; one term vague or misused | Concepts absent or significantly misused |
| Engaged a counterpoint evenhandedly | Names and genuinely weighs an opposing view without dismissing either side | Acknowledges a counterpoint without engaging it | No counterpoint considered |
| Peer replies + clarity for a non-expert (SLO B applied) | Two substantive replies; writing a careful non-expert could follow | Two short replies; mostly clear | Missing or low-effort replies |
Grading note (Prof. Quinn): the posted artifact is the AI summary + chat share link; spot-check a few links against the summary. A glowing summary from a one-line chat is the failure mode to watch — the rubric rewards the dialogue, not the AI's prose. The discussion is genuinely open (reasonable people disagree on agentic trust); don't penalize for a "not safe enough yet" or "safe with limits" verdict — penalize only for absence of evidence and nuance.
Canvas placement block
canvas_object = DiscussionTopic
title = "Week 14 Discussion — Browser Agents & Prompt Injection: Safe Enough Yet? (adaptive)"
assignment_group = "Discussions"
points_possible = 20
grading_type = points
discussion_type = adaptive
due_offset_days = 4 # initial post (AI summary + chat share link), Fri Dec 4
reply_offset_days = 6 # two peer replies, Sun Dec 6
published = true
submission_note = "Initial post = the AI discussion summary + the chat share link; then reply to two classmates."
provenance = "~ Prof. Quinn's edition · Fall 2026 · built with thecoursemaker.com"
Traditional variant — for comparison. This sample course is configured adaptive learning, so its actual Week-14 discussion is the BYOAI-dialogue version in
G-discussion-week-14.md. This file shows the same Week-14 topic built the traditional way — an instructor-posted prompt where students write their own post and reply to peers — so you can see both formats side by side. (Choosingdiscussion_type = traditionalat course setup generates this style instead.)
Course: Using Artificial Intelligence (AI 101) · Silver Oak University (fictional sample) · Prof. Quinn
Objective: Objective 6 (cross-app workflows; agentic safe use) · SLO B (evaluate and use AI ethically and safely)
Discussion 14 of 15 · Discussions group = 10% of the grade · Worth 20 points
The Discussion
This week you learned that browser agents like Claude in Chrome can navigate websites, click buttons, and fill forms on your behalf — but that they carry a documented risk: prompt injection, where malicious instructions hidden in web content can redirect the agent's behavior. Anthropic's safety guide is explicit about this. Let's put both sides of this technology on the table.
Your initial post (by Friday, Dec 4 — about 150–200 words). Answer both parts:
- Part 1 — Are browser agents safe enough yet? Claude in Chrome is available in beta on paid plans. The official safety documentation confirms that defenses reduce prompt-injection attack success rates but do not eliminate the risk; financial sites are blocked by default; and the user remains responsible for all actions the agent takes. Take a clear position — browser agents are safe enough to use with real accounts today, safe enough only for low-stakes tasks, or not yet ready for real account use — and defend it using at least two Week-14 facts (documented risks, the approval-checkpoint system, plan availability, financial blocking, etc.). Your verdict doesn't have to be "doom" or "hype" — it can be conditional ("safe for X but not Y").
- Part 2 — Find the safety flaws. A student submitted this automation plan: "Step 1: Claude in Chrome logs into my bank and emails me the balance every morning. Step 2: Claude in Chrome auto-submits my job applications whenever it finds a 'promising' listing. Step 3: Auto-approve all sites so it doesn't have to ask permission." Name at least two safety problems in this plan and describe one concrete fix for each.
Replies (by Sunday, Dec 6). Reply to at least two classmates. Challenge their verdict with evidence they didn't cite, or point out a flaw in the automation plan they missed, or argue for a different risk threshold. One to two substantive sentences each.
What a strong post looks like: "I'd say browser agents are safe enough for research and form-filling on trusted sites I already use, but not for anything involving accounts with real consequences. My line: if the action is reversible and the site is familiar, the risk is manageable with good approval habits. The automation plan has three problems: banking is explicitly blocked by Anthropic and violates the money rule (Fix: the user checks the balance manually); auto-submitting job applications without review is irreversible (Fix: Claude drafts a list of promising listings and I approve each before submission); and auto-approving all sites removes the main prompt-injection defense (Fix: approve per domain, especially on unknown sites)."
Integrity & AI note. Write your post in your own words — that's the point. You may use an approved assistant to help you think through the argument, but the post you submit must be your own reasoning; if AI helped, note which tool and how. (Note: this is the traditional format. In this course's actual adaptive discussion, reasoning through the verdict with the assistant is the activity — see G-discussion-week-14.md.)
Participation rubric — 20 points
| Criterion | 5 — Strong | 3 — Developing | 1 — Thin |
|---|---|---|---|
| Initial post — analysis | Clear, defended verdict on browser-agent safety using 2+ Week-14 facts; names two real flaws in the automation plan with concrete fixes | Most pieces present; one slip or a vague fix | A position stated with little evidence |
| Use of Week-14 concepts | Prompt injection, financial blocking, approval checkpoints, "not a security boundary" used accurately | Mostly correct; one term vague | Concepts absent or misused |
| Peer replies | Two substantive replies that add a fact, challenge the risk threshold, or catch a missed flaw | Two short replies; mostly restating | Missing or one-line "I agree" replies |
| Clarity for a non-expert (SLO B applied) | A careful non-expert could follow the argument | Mostly clear; some jargon | Hard to follow |
Grading note (Prof. Quinn): the discussion is genuinely open — a "not yet safe enough" verdict and a "safe with limits" verdict can both earn full credit if the argument is grounded in Week-14 facts and the automation-plan analysis is specific. Penalize absence of evidence and missing fixes, not a particular verdict.
Canvas placement block
canvas_object = DiscussionTopic
title = "Week 14 Discussion — Browser Agents & Prompt Injection: Safe Enough Yet? (traditional)"
assignment_group = "Discussions"
points_possible = 20
grading_type = points
discussion_type = traditional
due_offset_days = 4 # initial post, Fri Dec 4
reply_offset_days = 6 # two peer replies, Sun Dec 6
published = true
submission_note = "Students write an original initial post and reply to two classmates in the Canvas discussion."
provenance = "~ Prof. Quinn's edition · Fall 2026 · built with thecoursemaker.com"
~ Prof. Quinn's edition · Fall 2026 · built with thecoursemaker.com