Researchers at Guardio, Trail of Bits, and Zenity Labs demonstrated that Perplexity Comet and analogous agentic AI browsers can be manipulated into autonomously executing phishing attacks, credential theft, and password manager takeovers (including 1Password vault compromise) via prompt injection from untrusted web content, calendar invites, and GAN-optimized phishing pages — completing full attack chains in under four minutes. Perplexity has patched the specific PerplexedBrowser vulnerabilities, but researchers are consistent that verbose agent reasoning as an adversarial feedback channel and insufficient trust boundary enforcement are structural properties of current LLM-based agentic architectures, not vendor-specific bugs. Verify Comet patch status, restrict agentic tool access to credential stores under least-privilege principles, and update threat models to incorporate T1185, T1555, and T1566 as active TTPs against agentic tooling.