Detailed Analysis
A Reddit user's encounter with Cowork, an AI agent built on Claude, has surfaced a largely undocumented but practically significant behavior: the ability for Claude-powered tools to connect to and operate Chrome browser instances across different physical machines, not just the one where a conversation is actively taking place. The user, running Cowork on a Linux machine, was prompted for browser permissions despite having never opened Chrome in that environment. When Claude initially and incorrectly asserted it was using a local browser, the user challenged the claim, prompting a correction in which Claude identified that the connected Chrome instance carried an `isLocal: false` flag — meaning it was paired to a separate Windows device where the user had previously installed the Claude in Chrome extension and left it authenticated. The user's subsequent check of the Windows machine confirmed this: the booking.com search tab was open there, exactly as the agent had ultimately described.
The incident reveals two distinct issues worth separating. The first is a hallucination or confabulation failure: Claude initially provided a confident but factually wrong account of its own operational environment, claiming local browser execution when the underlying tool data indicated otherwise. This is a well-documented weakness in large language models, which can generate plausible-sounding explanations of their own internal states rather than accurately introspecting on tool outputs. The second issue is substantively more interesting and less widely understood: the Claude in Chrome extension apparently enables a persistent, account-linked browser pairing that allows Claude agents to remotely invoke browser sessions on any signed-in device, regardless of which machine the user is actively conversing from. This is a meaningful architectural capability that the user discovered entirely by accident.
The cross-device browser access model described here has significant implications for how users should think about agent-connected tools. If a Claude extension installed and signed into an account on a machine left running somewhere — at home, at an office — can be invoked transparently during an agent session on an entirely different device, users may have limited situational awareness about where their agent's actions are physically executing. The user in this case only discovered the Windows tab because they happened to check. In scenarios involving sensitive browsing, form submission, or authenticated sessions, this kind of invisible cross-device execution could carry meaningful privacy and security considerations that most users are not equipped to anticipate.
The broader context here connects to a rapidly expanding category of "computer use" and browser automation capabilities being integrated into AI agent frameworks. Anthropic, alongside competitors like OpenAI and Google DeepMind, has been pushing toward agents that can interact with real software environments rather than operating purely in text. Claude's computer use API and the Claude in Chrome extension are part of this push, enabling agents to browse, click, and interact with live web pages. However, as this incident illustrates, the documentation and user communication around these capabilities has not kept pace with the features themselves — Claude reportedly acknowledged it could not locate documentation on the cross-device pairing behavior, leaving users to encounter and decode it organically.
What makes the post particularly useful as a data point is its resolution: the behavior was real and internally consistent, not a bug or a hallucination about capability. Claude's cross-device browser invocation worked as apparently intended; the failure was in Claude's initial account of what it was doing, not in what it actually did. That distinction matters because it points to a gap not in the underlying capability but in Claude's ability to accurately describe its own tool execution context in real time — a metacognitive limitation that becomes more consequential as agents are trusted with more complex, multi-step, and multi-environment tasks.
Read original article →