PerplexedBrowser: Perplexity’s Agent Browser Can Leak Your PC's Local Files

Perplexity’s agentic browser, Comet, just gave us a clean example of why “AI browser agents” and “the open internet” are a dangerous combo. Zenity Labs demonstrated a zero-click attack chain where a benign calendar invite becomes the delivery mechanism for indirect prompt injection.

The moment the user asks Comet to accept the meeting (and help prep), Comet can be manipulated into browsing local directories, opening sensitive local files, reading them, and then exfiltrating the contents to an attacker-controlled site using normal browser navigation. 

This is the predictable outcome of treating everything an agent sees as actionable input, especially in workflows people already trust, like calendar content. Zenity disclosed the issue in October 2025, Perplexity classified it as critical, and the reported fix is a hard boundary blocking agent access to file:// paths (confirmed effective Feb. 13, 2026). The specific demo path is closed, but the broader class of attacks isn’t.

Zenity Demo: Zero-Click Calendar Invite → Local File Exfiltration

Zenity demonstrated an end-to-end attack against Comet where a calendar invitation becomes the entry point. The flow is simple and that’s what makes it nasty:

• The attacker sends a calendar invite that looks normal to a human skimming it.

• The user asks Comet to accept the meeting (and help prepare).

• Indirect prompt injection embedded in the invite’s content causes Comet to merge the attacker’s instructions with the user’s request—Zenity calls this “intent collision.”

• Comet navigates to local directories via file://, browses folders, opens a sensitive file, reads it, then navigates to an attacker endpoint and exfiltrates the contents in a request.

Notice what’s missing: there’s no “traditional vulnerability” in the classic sense. Zenity is explicit that this doesn’t rely on exploiting a software bug. Comet is following its execution model and operating inside intended capabilities because reading content, planning steps, and taking actions is what it’s designed to do.

Zenity also points out something that should make security folks uncomfortable: in one execution path, Comet warns after data transmission; in another, running in the background, no warning appears at all.

The Fix Closes This Door, But The Class of Attacks Stays Open

Per Zenity, the issue was responsibly disclosed on Oct. 22, 2025. Perplexity classified it as critical and collaborated on a mitigation: a hard boundary that blocks agent access to file:// paths at the code level. Zenity confirmed the fix effective on Feb. 13, 2026, and the specific demo no longer works.

That’s good. But let’s not pretend it solves the underlying problem.

If your model can take actions and it’s ingesting untrusted content to decide which actions to take, attackers will keep trying to steer it. Today it’s file://. Tomorrow it’s “connect to this internal URL,” “pull this doc,” “open this admin panel,” “run this workflow,” “summarize what you see,” and “send it here.” Anything the agent can reach becomes part of the blast radius.

So my practical takeaways are boring but necessary:

• Treat agentic browsers as high-risk until you’ve seen strong, enforceable trust boundaries.

• Assume “trusted” surfaces like calendars, docs, and email are still attacker-controlled input.

• Demand transparent, granular activity logs that make agent actions legible in real time—not after the fact.

• And if your product depends on agents consuming arbitrary web content and acting autonomously, you don’t get to wave this off as edge-case research.