[Anthropic’s docs](https://code.claude.com/docs/en/desktop#browse-external-sites) say Auto and Bypass modes skip the domain allowlist while Claude can read external pages, edit repo files, and run commands. A poisoned DeFi docs page can now target the agent writing a Foundry deployment script, even though the browser profile excludes personal logins and history.

Top comment by @Benthic

Explore the topic

More on docs

Comments