{"slug": "show-hn-drive-your-already-logged-in-chrome-from-any-ai-agent", "title": "Show HN: Drive your already-logged-in Chrome from any AI agent", "summary": "A new open-source tool called chrome-use lets AI agents control a user's already-logged-in Chrome browser without triggering anti-bot detection, solving the problem of re-login and captchas faced by traditional browser automation tools. The tool uses a browser extension and native messaging to drive the real browser, achieving a 0% bot score on CreepJS.", "body_md": "**English** · [简体中文](/leeguooooo/chrome-use/blob/main/README.zh.md)\n\n**chrome-use** drives your real, logged-in Chrome from any AI agent — it shares your existing login sessions and is undetectable by anti-bot systems because it *is* your real browser. Part of the `*-use`\n\nfamily ([iphone-use](https://github.com/leeguooooo) drives your real iPhone; chrome-use drives your real Chrome).\n\nOriginally based on vercel-labs/agent-browser (Apache-2.0); now a standalone project — the stealth/extension-relay architecture, anti-detection, humanize, multi-agent isolation, and CLI have diverged substantially.\n\n📖\n\nDeep dive:[Letting an agent click into cross-origin iframes — how chrome-use solves the hardest part of browser control]\n\n**No fresh Chrome. No re-login. No \"are you a robot?\" walls.**\n\nchrome-use points **any** agent — Claude Code, Cursor, Codex, your own scripts — at the **Chrome you're already signed into everything on**. It clicks in *your* window, so you watch it work and grab the wheel the moment it hits a 2FA prompt or captcha. And because it's literally your real browser (over a one-click extension, native messaging — no debug port), sites read it as 100% human: [CreepJS scores it 0% bot](#anti-detection).\n\n**Why not just use…**\n\n**Playwright / Puppeteer / browser-use?** They boot an*empty*browser — so you redo every login, fight every captcha, and still get flagged as automation. We use the session you already have.**Claude's Chrome extension?** Great, but it only drives Claude. This drives*any*agent or CLI.**A raw**(web-access, etc.)? Chrome 136+ pops`--remote-debugging-port`\n\n**\"Allow remote debugging?\"** on*every*connect. This never does — one-click Store extension, native messaging.\n\n**Full feature comparison** (the receipts)\n\n|\n|---|\n\n**chrome-use**\n\n**any** agent / CLI (not one app)**real, logged-in** Chrome**No \"Allow remote debugging?\" popup****verified 0%****No**(rebrowser)²`Runtime.enable`\n\nCDP leak**off by default****one** real Chrome, isolated tab groups³`<all_urls>`\n\n**7, no**`<all_urls>`\n\n¹ All three real-Chrome tools score ~0% on CreepJS (it's a real browser); we've measured ours. ² rebrowser's runtimeEnableLeak — verified clean on our relay path; Claude in Chrome not independently tested (—). ³ web-access can run parallel sub-agents on one browser, but without per-session isolation; each --session here gets its own colored, command-isolated tab group. See\n\n[Anti-detection](#anti-detection)for the measured numbers.\n\n**Typical browser automation** (Playwright, Puppeteer, or a fresh `--launch`\n\n) opens a brand-new browser with an empty profile. You have to log in again, and websites can tell it's automated.\n\n**chrome-use** connects to your existing Chrome. Your cookies, sessions, and browser fingerprint are all real — because it IS your real browser.\n\n| chrome-use | chrome-use | |\n|---|---|---|\n| Browser | Launches new Chrome | Connects to your Chrome |\n| Login state | Empty, need to re-login | Your existing sessions |\n| Fingerprint | Automation markers present | Your real fingerprint |\n| User collaboration | Separate window | Same window, take over anytime |\n| CAPTCHA | Agent stuck | You solve it, agent continues |\n\nYour **chrome-use CLI** talks to a tiny **browser extension** over Chrome\n**native messaging** — a local inter-process channel, *no network socket, no\ntoken, no remote server*. The extension uses `chrome.debugger`\n\nto drive the tabs\nyou target in **your own, already-logged-in Chrome**, then hands results back to\nthe CLI. Everything stays on your machine.\n\nEach `--session`\n\ngets its **own colored Chrome tab group**, so multiple agents\ncan share one real browser concurrently without stepping on each other — or your\nown tabs.\n\nOther local tools drive Chrome over a raw `--remote-debugging-port`\n\n(CDP). Since\n**Chrome 136**, every such connection pops a blocking **\"Allow remote debugging?\"**\nconsent dialog — and the port has to be enabled up front. Our extension uses\nnative messaging instead: **install once, then zero per-use confirmation.**\n\nchrome-use (this extension) |\nweb-access (raw CDP port) | Claude in Chrome (chrome.debugger) | |\n|---|---|---|---|\n| Connect method | native messaging — no port, no token | `--remote-debugging-port` |\n`chrome.debugger` |\n\"Allow remote debugging?\" popup |\nnever ✅ |\nevery connection 🔴 |\nno |\n| Uses your real login | yes | yes | yes |\n`Runtime.enable` (CDP) leak¹ |\noff by default → clean ✅ |\ndomain enabled | n/a |\n| CreepJS stealth score² | 0% stealth · 0% headless ✅ |\nreal Chrome | real Chrome |\n| Per-session tab groups / concurrent agents | yes ✅ |\nno | no |\n| Built for the chrome-use CLI | yes | a separate proxy | a single-app assistant |\n\n¹ Verified against\n\n[rebrowser-bot-detector]: our relay reports`runtimeEnableLeak: 🟢 No leak`\n\nand`navigatorWebdriver: 🟢`\n\n. ² Verified against[CreepJS]on the connected real-Chrome path — see[Anti-detection].The consent dialog isn't hypothetical: a raw-port tool pops it on\n\neveryattach (Chrome 136+ security). The extension path never does.\n\n```\ncurl -fsSL https://raw.githubusercontent.com/leeguooooo/chrome-use/main/install.sh | sh\n```\n\nDownloads the prebuilt binary for your platform from the latest [GitHub Release](https://github.com/leeguooooo/chrome-use/releases) and installs `chrome-use`\n\n(+ the `abs`\n\nalias). No npm, no tokens.\n\n## Other ways to install\n\n**Pin a version:**`AGENT_BROWSER_VERSION=v0.27.0-fork.12 curl -fsSL https://raw.githubusercontent.com/leeguooooo/chrome-use/main/install.sh | sh`\n\n**Custom location:**`AGENT_BROWSER_BIN_DIR=$HOME/bin curl -fsSL … | sh`\n\n**Windows:** download`chrome-use-win32-x64.tar.gz`\n\nfrom the[Releases page](https://github.com/leeguooooo/chrome-use/releases)and put`chrome-use.exe`\n\non your PATH.**npm (legacy):**`npm install -g chrome-use`\n\n— still published, but GitHub Releases is the primary channel now.\n\nThe repo ships SKILL.md files for Claude Code, Cursor, etc. Pull them into the current project with [skills.sh](https://skills.sh):\n\n```\nnpx skills add leeguooooo/chrome-use\n```\n\nThis drops `skills/chrome-use`\n\n(and the specialized `skill-data/{core,electron,slack,dogfood,agentcore,vercel-sandbox}`\n\n) into your project so your AI agent gets the right usage patterns and pre-approved bash permissions for `chrome-use`\n\n, `chrome-use`\n\n, and `abs`\n\n.\n\n`chrome-use`\n\n, `chrome-use`\n\n, and `abs`\n\nare **the same binary** —\n`abs`\n\nis just a short alias. There is no separate \"stealth executable\"; stealth\nis a runtime behavior (see [Anti-detection](#anti-detection) below), applied\nautomatically based on whether you attach to your real Chrome or `--launch`\n\na\nfresh one.\n\n**Recommended — the browser extension (one click, no popups).** Install the\n[ chrome-use extension from the Chrome Web Store](https://chromewebstore.google.com/detail/chrome-use/knfcmbamhjmaonkfnjhldjedeobeafmk),\nthen register the local bridge once:\n\n```\nchrome-use extension install      # register the native-messaging host (one-time)\nchrome-use open https://x.com/home\n```\n\n`chrome-use open`\n\nthen drives your real, logged-in Chrome over **native\nmessaging** — no debug port, no token, and **no \"Allow remote debugging?\" dialog,\never**. The extension auto-updates and survives Chrome restarts, so it stays\nconnected with zero per-use confirmation (ideal for unattended/agent use).\n\n## Alternative — raw remote-debugging port (pops a consent dialog)\n\nWithout the extension, chrome-use attaches over the Chrome DevTools Protocol,\nwhich Chrome only exposes when **launched with a remote-debugging port** (a\nstartup flag — the `chrome://inspect`\n\ntoggle alone is not enough):\n\n```\n# macOS\nopen -a \"Google Chrome\" --args --remote-debugging-port=9222\n# Linux\ngoogle-chrome --remote-debugging-port=9222\n# Windows: add --remote-debugging-port=9222 to your Chrome shortcut's target\n```\n\nThen `chrome-use open <url>`\n\nauto-discovers the port. On first attach,\n**Chrome 136+ shows an \"Allow remote debugging?\" dialog** — click Allow once (it\npersists for that Chrome session). The extension above avoids this entirely.\n\n**No setup / don't want to touch your real Chrome?** Use\n`chrome-use --launch open <url>`\n\nto spawn a fresh isolated stealth browser\n(full anti-detection patches applied; see below). This always works without any\nport setup and is what CI uses automatically.\n\n```\n# Connect to your Chrome and navigate\nchrome-use open https://example.com\n\n# Everything works through your logged-in browser\nchrome-use click \"Post\"\nchrome-use click 449 320            # …or click a raw viewport coordinate\nchrome-use fill \"Title\" \"Hello World\"\nchrome-use screenshot ./page.png\n```\n\nThe agent operates in your Chrome — you'll see tabs opening, pages loading, clicks happening in real time. You can take over at any point (e.g. solve a CAPTCHA), then let the agent continue.\n\nSpawn a separate browser instead of attaching to your running Chrome:\n\n```\n# Throwaway: fresh, EMPTY profile — no cookies, no login (good for CI/testing)\nchrome-use --launch open https://example.com\n\n# Keep your login: launch with your real Chrome profile (cookies/sessions intact)\nchrome-use --launch --profile auto open https://x.com/home\n# or name it explicitly: --profile Default / --profile \"Profile 1\"\n```\n\n⚠️ Plain`--launch`\n\n(no`--profile`\n\n) uses atemporary empty profile— you will NOT be logged into anything. For logged-in sites use`--profile auto`\n\n(picks the Chrome profile you used most recently) or`--profile <name>`\n\n. chrome-use prints a warning when you`--launch`\n\nwithout a profile.\n\nIn CI environments, standalone mode is used automatically.\n\nMost \"read GitHub issues\" / \"search Reddit\" / \"get my Bilibili feed\" tasks don't\nneed clicking and screenshotting at all — the site already has a JSON API behind\nits own login. A **site adapter** is a tiny JS function that calls that API *from\ninside your logged-in tab* (your cookies, same-origin `fetch`\n\n, the site's own\nmodules) and returns clean JSON. The site can't tell it apart from you, because it\n*is* you.\n\nchrome-use ships none of these adapters — `site update`\n\nfetches the community\n[ bb-sites](https://github.com/epiral/bb-sites) pack at runtime (like a package\nmanager pulling a dependency), then runs them over chrome-use's stealth transport:\n\n```\nchrome-use site update                          # fetch the adapter pack (~145 commands)\nchrome-use site list                            # github/issues, reddit/search, bilibili/feed, …\nchrome-use site info github/issues              # see an adapter's args + domain\n\n# Run one — navigates to the site (reusing the tab if you're already there) and returns JSON\nchrome-use site github/issues epiral/bb-browser --json\nchrome-use site reddit/search \"rust async\" --json\nchrome-use site bilibili/feed --json            # works because it's your logged-in session\n```\n\nPositional args fill the adapter's declared args in order; `--key value`\n\noverrides\nby name. Adapters are authored by the bb-sites community and remain their authors'\nproperty — chrome-use just runs them.\n\n**Auto-sync + auto-suggest.** You rarely type `site update`\n\nyourself: chrome-use\nsyncs the pack on first use and refreshes it weekly in the background (tune with\n`AGENT_BROWSER_SITES_TTL_DAYS`\n\n, disable with `AGENT_BROWSER_SITES_NO_AUTO_UPDATE=1`\n\n).\nAnd when you `open`\n\n/`snapshot`\n\na page whose domain has adapters, chrome-use surfaces\nthem right in the output — a `💡 site adapters for <domain>`\n\nline, plus a\n`siteAdapters`\n\nfield under `--json`\n\n— so an agent reaches for the structured-data\nadapter instead of scraping the DOM:\n\n``` bash\n$ chrome-use open https://github.com\n💡 site adapters for github.com — prefer these for structured data:\n   github/issues, github/me, github/repo, …\n   e.g. chrome-use site github/issues --json\n✓ GitHub\n```\n\nTurn the repetitive \"open it, click around, check it's right\" work into a\n**re-runnable suite** — unit tests for the frontend. Write cases in YAML; steps\nreuse chrome-use's own commands and assertions compile to a single check:\n\n```\n# smoke.yaml\nsuite: chatgpt smoke\nsetup:\n  - account: chatgpt/huayue          # inject a cookie-use login (optional)\ncases:\n  - name: home loads logged in\n    steps:\n      - open: https://chatgpt.com/\n      - wait: { load: networkidle }\n    assert:\n      - url: { contains: chatgpt.com }\n      - visible: \"#prompt-textarea\"\nchrome-use test smoke.yaml                     # launches an isolated browser, runs cases\nchrome-use test smoke.yaml --session default   # …or against your connected Chrome\nsuite: chatgpt smoke  (session cu-test)\n  ✓ home loads logged in   1.2s\n  ✗ composer takes text    0.8s\n      assert text \"#prompt-textarea\" contains \"hi\" → got \"\"\n      ↳ cu-test-artifacts/composer-takes-text.png\n2 cases · 1 passed · 1 failed\n```\n\nExit code is non-zero if any case fails (drop it into CI), and failed cases save\na screenshot. Assertions: `url`\n\n· `visible`\n\n· `hidden`\n\n· `text`\n\n· `count`\n\n·\n`eval`\n\n. Steps: `open`\n\n· `click`\n\n· `fill`\n\n· `type`\n\n· `press`\n\n· `wait`\n\n· `scroll`\n\n· `eval`\n\n. Full guide: `chrome-use skills get test`\n\n. Found a regression? Add a\ncase — the suite gets more valuable the more you use it.\n\nWhen connected to your real Chrome, we inject **zero** JavaScript patches. Your browser's fingerprint is completely genuine. The guiding rule is **native CDP/Chrome overrides over JS lies** — a re-defined getter is itself detectable; a native override isn't.\n\n`navigator.webdriver = false`\n\nvia`Emulation.setAutomationOverride`\n\n(native, undetectable by CreepJS-style lie tests).A live`Runtime.enable`\n\nis left OFF by default.`Runtime`\n\ndomain is a detectable CDP signal (the patchright/rebrowser \"runtime leak\") — even when attached to your real Chrome. We only enable it when you opt into console/error capture (see below).`click`\n\n,`fill`\n\n,`eval`\n\n, etc. work without it.\n\n**Test results (connected to real Chrome):**\n\n| Test site | Result |\n|---|---|\n|\n\n**0% stealth · 0% headless**(no override traces at all)[bot.incolumitas.com](https://bot.incolumitas.com/)`overflowTest`\n\n, `overrideTest`\n\n, `puppeteerExtraStealthUsed`\n\n, worker consistency[bot.sannysoft.com](https://bot.sannysoft.com)[BrowserScan](https://www.browserscan.net/bot-detection)[Cloudflare Turnstile](https://nowsecure.nl)`0% stealth`\n\non CreepJS is the key number: because the connect path patches **nothing**, there is no override for a lie-detector to catch. (Dashboards that read `navigator.languages`\n\norder or IP geolocation may show a soft \"navigator\"/\"location\" flag — that tracks *your real Chrome's* language list and network, not an automation tell.)\n\nWhen using `--launch`\n\nmode (standalone browser), a full suite of stealth patches is applied instead, and it passes the suite above — with one caveat: CreepJS reports **~20% stealth** because the srcdoc-iframe `contentWindow`\n\npatch trips its `hasIframeProxy`\n\nprobe (the proxy that hides automation is itself a tell). Everything else is clean (`0% headless`\n\n, sannysoft/browserscan green, Cloudflare passed). Set ** AGENT_BROWSER_DISABLE_IFRAME_PROXY=1** to drop that patch for a clean\n\n**0% stealth**(trades the niche srcdoc-iframe masking). The\n\n**extension-connect path**(your real Chrome) injects zero JS and is unaffected — it's the genuine 0% path.\n\nFingerprint stealth isn't the whole story — the strongest anti-bot vendors (Akamai, PerimeterX, DataDome) also score *behaviour*. A click that teleports the cursor to an element's exact centre with no approach path and zero press delay is a tell, **even though our CDP events are isTrusted**.\n\nWith humanize on, the cursor moves like a hand: clicks follow a curved, decelerating Bézier path and land on a jittered point *inside* the element (never the dead centre); typing uses variable inter-keystroke timing; scrolling eases in segments; drags follow a curve. It's **adaptive** — every navigation is probed for known anti-bot vendors (cookies / scripts / globals) and a guarded page auto-escalates to full human motion, while ordinary sites stay instant (zero overhead).\n\nWhat the page's own `mousemove`\n\nstream sees (this *is* what a behavioural detector analyses):\n\n| trajectory | |\n|---|---|\noff (default) |\nstraight lines · dead-centre · instant |\nhuman |\ncurved trails · slow-in/slow-out · off-centre landings |\n\nControl with `--humanize off\\|fast\\|human`\n\nor `AGENT_BROWSER_HUMANIZE`\n\n. Default `off`\n\n; the adaptive detector escalates per page.\n\nDriving your real Chrome should never interrupt your work. The agent operates **entirely in the background**: new tabs open un-focused (in their own colored per-session tab group), the agent **never force-fronts a tab**, and `Emulation.setFocusEmulationEnabled`\n\nkeeps each agent tab rendering and reporting `document.hasFocus()`\n\n/ `visibilityState: 'visible'`\n\n. So screenshots still work, pages aren't render-throttled, and \"the tab was hidden the whole session\" never becomes its own bot tell. You keep working in your active tab; the agent works alongside you, silently. (Surfacing a tab stays available as an explicit command.)\n\nDon't take our word for it — point your connected Chrome at the toughest public detectors and compare:\n\n— the most thorough fingerprint / lie detector[CreepJS](https://abrahamjuliot.github.io/creepjs/)— behavioral + fingerprint scoring with a public methodology[bot.incolumitas.com](https://bot.incolumitas.com/)— Webdriver / User-Agent / CDP / Navigator[BrowserScan](https://www.browserscan.net/bot-detection)— the classic automation-marker checklist[bot.sannysoft.com](https://bot.sannysoft.com)·[pixelscan.net](https://pixelscan.net/)— consistency & identity[iphey.com](https://iphey.com/)\n\nWe deliberately **don't ship our own bot detector** — the strongest, most honest benchmark is the market's best detectors run against your real browser.\n\n| Variable | Default | Effect |\n|---|---|---|\n`AGENT_BROWSER_CAPTURE_CONSOLE` |\noff | Enable `Runtime` domain so `console` / `errors` capture page output. Off keeps the stealthiest profile. |\n`AGENT_BROWSER_HUMANIZE` |\noff | Human-like input motion: `off` (instant), `fast` (light eased trajectory), `human` (full curved trajectory + landing jitter + typing cadence + eased scroll/drag). Also `--humanize` . Default `off` ; the adaptive detector auto-escalates pages guarded by Akamai/PerimeterX/DataDome to `human` . |\n`AGENT_BROWSER_TIMEZONE` |\nunset | `--launch` only. An IANA id (e.g. `Asia/Tokyo` ) sets the timezone natively (Intl + Date follow, no JS lie) to match a proxy; `auto` derives one from the locale. |\n`AGENT_BROWSER_BLOCK_WEBRTC` |\nauto | `--launch` only. Auto-forces WebRTC through the proxy when one is set (no real-IP leak). `1` hides the local IP without a proxy; `0` opts out. |\n`AGENT_BROWSER_HIDE_CANVAS` |\noff | `--launch` only. Adds session-stable canvas/audio fingerprint noise. Off by default (noise is itself a \"lie\"). |\n`AGENT_BROWSER_ADAPTIVE_REF` |\non | When a saved `@ref` moves and the role/name re-query fails, relocate it by fingerprint similarity (high score + clear margin required, else it fails loudly). `0` disables. |\n`AGENT_BROWSER_CLICK_MODE` |\n(auto) |\nClick strategy. Default scrolls the target into view, dispatches a coordinate click, and falls back to a DOM `.click()` if a floating layer occludes the point. `dom` always uses `.click()` (best for autocomplete/menu items that close on blur); `coord` is strict coordinate-only (hard-fail on occlusion). |\n\n**Auto-connect is default**—`chrome-use open <url>`\n\ndrives your existing Chrome instead of launching a new one**Extension-relay transport**— a one-click Chrome Web Store extension + native messaging, so there's no debug port and no \"Allow remote debugging?\" dialog**CDP-native stealth**— anti-detection via Chrome/CDP overrides rather than JS patches; zero patches when attached to your real Chrome, full patches only for`--launch`\n\n**Humanize**— human-like cursor trajectories + adaptive anti-bot handling** Multi-agent isolation**— concurrent agents share one real Chrome via per-session tab groups, no cross-talk** Silent operation**— runs in the background; never steals your foreground tab\n\nOriginally based on vercel-labs/agent-browser (Apache-2.0); the projects have since diverged substantially.\n\nBuilt by\n\nleeguooooo— field notes on AI agents, reverse engineering & Cloudflare Workers at· follow on[blog.misonote.com][X @leeguooooo]", "url": "https://wpnews.pro/news/show-hn-drive-your-already-logged-in-chrome-from-any-ai-agent", "canonical_source": "https://github.com/leeguooooo/chrome-use", "published_at": "2026-06-25 02:32:15+00:00", "updated_at": "2026-06-25 02:43:11.834751+00:00", "lang": "en", "topics": ["ai-agents", "ai-tools", "developer-tools"], "entities": ["chrome-use", "Claude", "Cursor", "Codex", "Playwright", "Puppeteer", "browser-use", "CreepJS"], "alternates": {"html": "https://wpnews.pro/news/show-hn-drive-your-already-logged-in-chrome-from-any-ai-agent", "markdown": "https://wpnews.pro/news/show-hn-drive-your-already-logged-in-chrome-from-any-ai-agent.md", "text": "https://wpnews.pro/news/show-hn-drive-your-already-logged-in-chrome-from-any-ai-agent.txt", "jsonld": "https://wpnews.pro/news/show-hn-drive-your-already-logged-in-chrome-from-any-ai-agent.jsonld"}}