Google Gemini’s Computer Control: New AI Capabilities vs. Emerging Cybersecurity Risks

| Editorial Team
4

Google Gemini Can Now Control Your Computer — and Hackers Are Already Setting Traps

Google's Gemini 3.5 Flash now includes built-in computer control capabilities, letting AI agents navigate browsers, apps, and desktops — while cybercriminals are already exploiting similar tools to steal money from users.

The stakes could not be higher. As agentic AI moves from experimental feature to everyday functionality, the same capabilities that promise to revolutionize workplace automation are opening attack surfaces that malicious actors are actively targeting. A senior scientist at Google DeepMind put it plainly: scaled AI agents create incentives "for malicious people to do malicious things."

What Gemini's Computer Use Capability Actually Does

Google has moved "computer use" from a specialized model into Gemini 3.5 Flash, making agent-style control of browsers, apps, and desktop workflows a built-in feature rather than a separate product. This means Gemini can now see and interact with user interfaces, reason about what appears on a computer screen, and take direct actions on behalf of the user.

The practical implications are significant. Developers can now build agents that go far beyond calling APIs. They can automate GUI-only workflows — testing software, filling out forms, navigating dashboards, or operating legacy applications that have no API access at all.

Here is a concrete example of what that looks like in practice: if a piece of software has a graphical interface but no API, an AI agent can still use it. A user could instruct an agent to log into a dashboard, export yesterday's reports to a spreadsheet, compare them with last week's data, and email a summary — all handled through natural language rather than custom scripts stitching together separate tools.

This removes a long-standing bottleneck in automation and dramatically expands what AI agents can realistically accomplish in real production environments. For businesses evaluating how far to extend these capabilities, understanding the broader risks and challenges of artificial intelligence in business is an essential starting point before committing to agentic deployment.

The Broader Shift Toward Agentic AI

Computer use is not an isolated feature update — it represents a meaningful architectural shift in how AI is being positioned. Rather than functioning as a tool that responds to queries, Gemini is being built to act in the world: navigating interfaces, making decisions in sequence, and completing multi-step tasks with limited human involvement at each stage.

This shift has been building across the industry. Anthropic's Claude, Microsoft's Copilot, and OpenAI's Operator have each moved in similar directions. What Google's announcement signals is that agentic capability is transitioning from a competitive differentiator into a baseline expectation for enterprise-grade AI products.

For developers and businesses, this means the infrastructure decisions made now — around permissions, sandboxing, and human oversight — will define how safely and effectively these agents operate as the technology matures.

What This Means for SEO Professionals and Site Owners

For the SEO industry, the implications are substantial. Tools may become far more agentic in the near future. Rather than simply surfacing data, AI could log into Google Search Console, audit websites, crawl a site using tools like Screaming Frog, extract specific data points for comparison, and execute repetitive optimization workflows autonomously.

This is the kind of capability that once required either a developer or hours of manual effort. AI agents equipped with computer use could handle these workflows at scale — a shift that resembles the leap from manually editing spreadsheets to using pivot tables for the first time.

How Site Owners Will Need to Adapt

For site owners, there is another layer to consider. AI agents may increasingly act as "visitors" to websites, which could affect how owners interpret site interactions and engagement signals used for optimization. Understanding when a visit is human versus AI-driven will become a more pressing analytical challenge.

Beyond traffic interpretation, site owners should also consider the structural integrity of their content. As AI agents read and act on web pages, the clarity, accuracy, and structure of on-page content becomes more consequential — not just for human readers, but for agents processing that content as instructional input.

Proactively auditing your site for ambiguous language, conflicting instructions, or content that could be misinterpreted by an AI parsing the page will become a worthwhile maintenance task. What reads clearly to a human may behave unexpectedly when an AI agent treats it as a directive.

AI Agents Are Already Being Attacked — and Google Knows It

Google's announcement is optimistic in tone, but the safety best practices document it links to tells a more cautious story. The document states directly: "Computer Use presents unique security and operational risks, as a model acting on a user's behalf might encounter untrusted content on screens or make errors in executing actions."

That "untrusted content on screens" is a reference to what researchers describe as traps — hidden instructions embedded in websites or files designed to hijack AI agents. This is not a theoretical risk.

Just this month, a cybersecurity expert in California discovered illicit charges on his credit card traced back to Anthropic's Claude AI agent. He appears to have downloaded a file that contained an embedded AI agent trap. As reported, the file "basically told Claude to attempt to purchase different types of gift accounts on my stored information. So it was using the digital wallet that was on my computer for Claude to start to make these purchases."

This incident is a clear example of prompt injection — one of the most significant emerging threats in AI security, and one that existing cybersecurity frameworks were not designed to address. As agentic AI becomes more widespread, the attack surface expands significantly. For a deeper understanding of how AI is reshaping the threat landscape, the intersection of AI and cybersecurity network defence is increasingly where these battles will be fought.

Google's Seven Safety Best Practices for Developers

Google has outlined seven best practices for developers building with this capability:

  • Human-in-the-loop confirmation — requiring user approval before sensitive actions are executed
  • Secure sandboxed environments — using virtual machines or containers to limit agent impact
  • Input sanitization — cleaning user-generated text to prevent prompt injection attacks
  • Content guardrails — evaluating inputs and outputs for jailbreak attempts and inappropriate instructions
  • Allowlists and blocklists — controlling which websites an agent can visit and what actions it can take
  • Observability and logging — maintaining detailed records for auditing and incident response
  • Environment management — ensuring consistent GUI states to prevent unexpected pop-ups from confusing the agent

Why Websites Are Now Part of the Threat Surface

The challenge is that even with these safeguards, websites themselves become the battlefield. Site owners may need stronger bot controls and the ability to detect when hackers have embedded hidden prompt-injection instructions within their own pages. This is not something most website owners are currently monitoring for — a gap that compounds the risk for anyone using AI agents like the one Google just released.

Websites are no longer just targets for human visitors — they are now potential launch pads for attacks against AI systems acting on behalf of real people. Building a structured approach to identifying and responding to these threats requires a solid foundation in cybersecurity threat management and risk mitigation — something businesses deploying agentic AI should treat as a parallel workstream, not an afterthought.

As the number of AI agents proliferating across the web grows, so does the incentive for hackers to exploit them. The promise of agentic AI is real. So is the threat landscape surrounding it. For businesses and developers building on these capabilities, the seven safeguards Google recommends are not optional suggestions — they are the minimum starting point for responsible deployment.

How Readers Can Act on This Information

  • Developers and businesses building AI agents should treat Google's seven safety best practices as a baseline checklist before deploying any agent with computer use capabilities in production environments.
  • SEO professionals and site owners should begin auditing their analytics to distinguish AI agent traffic from human traffic and assess whether their sites could inadvertently host hidden prompt-injection content.
  • Individual users of AI tools with agentic capabilities should avoid connecting digital wallets or stored payment information to agents that browse untrusted websites until stronger security standards are established.

For further reading on the technical mechanics of prompt injection and how security researchers are working to counter it, OWASP's guidance on LLM security vulnerabilities provides a detailed and regularly updated reference point.

Editorial Team
You might also like

X Introduces Handles Marketplace: Premium Users Can Acquire Dormant Usernames

Leveraging User-Generated Content for your eCommerce Business

Target’s Source Code Theft: Significant Security Implications and Protective…

TikTok’s New Guide: Strategies for Home Decor Marketing Success

Google AI Overviews: Transforming Search Visibility Across Informational Queries

Upload Speed higher than Download Speed? Here’s why and what you can do to fix…