VSvarunsingla.com

← All entries

Day 55· · 3 min read

Agentic Browser Wars 2.0

Foundations & Protocols
By the numbers
4
agentic browsers shipping at consumer scale
32%
rise in malicious detections Nov 25 - Feb 26
3
GenUI standards (AG-UI, A2UI, MCP Apps)
75+
official Claude MCP App connectors

Market signal

Cursor + Claude Code already account for 95.6% of all developer AI agent traffic (Mintlify, Mar 26). Comet + Atlas + Remy + Hatch are the consumer-side version of that same lock-in race - whoever owns the default browsing surface owns the agent's eyes, hands and wallet for the next decade. On Day 48 we mapped the AG-UI maturity curve (L1 chat-only -> L5 multi-agent UX). The browser is forcing L4 (generative UI) to become the default - and three rival specs are now competing to be the canvas the agent renders into. Pick the wrong one and you will be re-rendering inside the next year. Strip back the marketing and every agentic browser is the same 6-layer stack we've been building since Day 23 - except the input surface is the DOM and the output surface is a generative-UI overlay. Two disclosures in the last 7 days made it impossible to ship agentic browsers without a Day-26-style trust

Disclosure 1 - Brave: Unseeable prompt injections in screenshots Brave's security team showed that attackers can hide instructions in images using faint blue-on-yellow text that is effectively invisible to humans but trivially read by OCR. Comet's screenshot-question feature extracts that text and executes it as agent instructions. Brave calls this 'a systemic challenge facing the entire category of AI-powered browsers' - not a Comet bug, a category bug. Disclosure 2 - Microsoft: When prompts become shells (May 7, 26) CVE-2026-25592 + CVE-2026-26030 in Microsoft Semantic Kernel: a single prompt was enough to launch calc.exe - host-level RCE - on the device running an agent. Vector: InMemoryVectorStore's filter evaluator used eval() with an AST blocklist that could be bypassed via __name__ + load_module + BuiltinImporter to reach os.system. No browser exploit, no attachment, no memory corruption. Fix: semantic-kernel >= 1.39.4. The broader Microsoft Security blog ('When prompts become shells') synthesises the pattern across frameworks - the agent tool registry is now the attack surface. Combine the two and the threat model is clear: an attacker who can plant text on a page the user will visit can - via the agentic browser - reach host-level code execution if any tool in the chain has a vulnerable sandbox. This is the agentic-browser version of XSS, except the victim is the whole agent stack, not just Honourable mentions: ByteDance UI-TARS-desktop (open-source multimodal desktop agent stack, GitHub trending this week) and CopilotKit's generative-ui repo (canonical examples of AG-UI + A2UI + MCP Apps all rendering the same agent state). Ship Article 50 compliance now, not in August Disclosure + watermark + kill switch + audit log is the minimum bar for an agentic surface in the EU from Aug

Take Treat this like the early 2010s mobile fork - native (A2UI) vs web (MCP Apps) vs framework-agnostic event protocol (AG-UI). CopilotKit's $27M Series A (Glilot Capital, NFX, SignalFire) is the strongest bet that AG-UI bridges all three: it already ships A2UI + MCP Apps + Open-JSON-UI as first-class examples. Default for new builds: AG-UI as the event substrate, A2UI for the component catalog, MCP Apps when you need to embed a partner web property inline.
3Anatomy of an agentic browser
Market signal

Cursor + Claude Code already account for 95.6% of all developer AI agent traffic (Mintlify, Mar 26). Comet + Atlas + Remy + Hatch are the consumer-side version of that same lock-in race - whoever owns the default browsing surface owns the agent's eyes, hands and wallet for the next decade. On Day 48 we mapped the AG-UI maturity curve (L1 chat-only -> L5 multi-agent UX).

Practical takeaways
Practical takeaways for builders
VS
Varun Singla
Singapore · About · Learning in public