According to Infosecurity Magazine, researchers at Koi Security discovered that three of Anthropic’s official Claude Desktop extensions were vulnerable to prompt injection attacks. The vulnerabilities, reported through Anthropic’s HackerOne program on July 3 and verified as high severity with a CVSS score of 8.9, affected the Chrome, iMessage and Apple Notes connectors. These Model Context Protocol servers run fully unsandboxed on user devices with full system permissions, meaning they can read any file, execute commands, access credentials and modify settings. The unsanitized command injection vulnerabilities could turn any benign question to Claude into remote code execution if a malicious actor crafted content accessed by Claude Desktop. Attackers could potentially collect SSH keys, AWS credentials or browser passwords through these exploits.
Sponsored content — provided for informational and promotional purposes.
Desktop Extensions Are No Joke
Here’s the thing that really stands out: these aren’t your typical browser extensions. Most Chrome extensions run in a sandboxed environment, but Claude Desktop extensions? They run with full system permissions. That means they can access everything on your machine. The researchers put it bluntly – these are “privileged executors bridging Claude’s AI model and your operating system.” Basically, you’re giving an AI assistant the keys to your entire digital kingdom.
The Trust Problem
And that’s where this gets really concerning. The assistant is acting in good faith, following what it thinks are legitimate instructions. But if someone manages to inject malicious content that Claude accesses, suddenly your helpful AI companion becomes a weapon against you. Think about it – how many times have you asked Claude to summarize a webpage or read content for you? Now imagine that webpage contains hidden malicious commands that Claude obediently executes.
Where This Is Heading
This feels like just the beginning of a much larger problem. As AI assistants become more integrated into our daily workflows, the attack surface expands dramatically. We’re moving from simple text generation to systems that can actually perform actions on our behalf. And honestly, are companies building these tools with security as a primary concern, or are they rushing to market with cool features?
The fact that these were official Anthropic extensions, available through their marketplace, should give everyone pause. If the official stuff has these kinds of vulnerabilities, what about third-party extensions? We’re probably going to see more of these discoveries as security researchers dig deeper into AI tooling. The race between building powerful AI capabilities and securing them is just getting started, and right now, security seems to be playing catch-up.
