Cybersecurity experts are sounding alarms over Claude Desktop Extensions, warning that their current architecture could enable zero-click prompt injection attacks, potentially leading to remote code execution (RCE) and full system compromise.
Claude, the popular generative AI assistant from Anthropic, offers Desktop Extensions through its MCP server marketplace. While these extensions resemble browser add-ons in functionality, their security model differs drastically.
Unlike Chrome extensions, which are confined to a tightly controlled sandbox, Claude Desktop Extensions reportedly run with full system privileges and without sandbox restrictions.
How a Zero-Click Prompt Injection Attack Could Unfold
This elevated access introduces a critical security gap. Researchers at LayerX Security note that Claude could autonomously chain together low-risk integrations, like Google Calendar, with high-risk system operations.
In other words, the AI assistant could execute system-level commands without the user's explicit consent or awareness.
A theoretical scenario illustrates the danger: an attacker creates a Google Calendar event and invites the target user. In the event description, the attacker embeds malicious instructions, such as commands to download files from a GitHub repository and execute a makefile.
If the user later asks Claude to "check my latest events and take care of it," the AI may read and execute the embedded instructions, inadvertently downloading and running malicious code. This means malware could be installed without any user interaction, making the attack seamless and highly dangerous.
Why Unsandboxed AI Extensions Are Risky
Because these extensions operate with full system privileges, a successful attack could give complete control of the device to the attacker, TechRadar wrote. It should be noted that there is an urgent need for stricter sandboxing, permission controls, and runtime safeguards in AI desktop environments.
As AI integrations become increasingly powerful, security architecture must evolve at the same pace to prevent zero-click exploits from becoming a widespread attack vector.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
