Claude Desktop changes software permissions without consent - theregister.com

Detailed Analysis

A forum post on The Register, published April 20, 2026, alleges that the macOS version of Anthropic's Claude Desktop application installs files that affect other applications — specifically Chromium-based browsers — and authorizes extensions prior to installation without adequate user disclosure. The post frames this behavior as potential spyware, drawing attention to what the author characterizes as non-consensual modification of system and application-level permissions. The claim has circulated within tech communities, though the forum post represents user-level observation rather than a peer-reviewed technical audit, and no reproducible proof, code analysis, or corroborating screenshots have emerged to substantiate the specific allegations at the time of writing.

Anthropic's official documentation for Claude and Claude Code describes a layered, user-controlled permission architecture that stands in direct tension with the allegations. The system is designed around a tiered approval model in which read-only operations require no explicit sign-off, while higher-risk actions — such as file modifications, bash command execution, or configuration changes — prompt users for approval unless explicitly pre-authorized. Users can configure these rules through a `/permissions` interface or a `settings.json` file, with a priority hierarchy of deny over ask over allow. Documented bypass mechanisms do exist, including the `--dangerously-skip-permissions` flag and a `bypassPermissions` mode, but these are opt-in features that Anthropic explicitly cautions against for most use cases, noting risks such as unintended file deletions, scope creep, and modification of external config files or datasets.

The gap between documented intent and user experience is not trivial, however. Separate from the forum allegation, a GitHub issue filed against Claude Code notes that the application can sometimes ignore `settings.json` permission configurations even when bypass modes are enabled, suggesting real-world behavioral inconsistencies that may fuel broader distrust. Additionally, users have reported that the default permission system generates frequent approval prompts for low-risk operations — such as `mkdir` or `git status` — creating workflow friction that pushes some users toward blanket bypass modes, which in turn increases exposure to unintended actions. These documented friction points, while distinct from the spyware allegation, create a credibility environment in which user suspicion of opaque behavior is understandable even if not yet technically confirmed.

The incident fits within a broader pattern of scrutiny facing AI desktop agents as they gain greater system-level access. As AI assistants evolve from text-based chatbots into agentic tools capable of reading, writing, and modifying files and application settings, questions of trust, transparency, and informed consent become structurally more complex. The permissions model that sufficed for a chat interface is insufficient for an agent that can interact with a user's entire computing environment. Anthropic's documentation reflects awareness of this challenge, but documentation and actual runtime behavior are not always identical, and independent verification mechanisms — such as app manifests, system log auditing, or third-party code review — remain the appropriate standard for adjudicating claims of this nature.

The Register forum post, absent technical corroboration, does not constitute confirmed evidence of wrongdoing, but it does highlight a communication and transparency challenge that Anthropic and the broader AI agent industry must actively manage. As Claude Desktop and similar products expand their system footprints, the burden of demonstrating consent-respecting behavior shifts from reactive documentation to proactive, auditable design. Whether the specific allegation proves accurate or not, the episode underscores the reputational and practical stakes of deploying AI agents with elevated system privileges, and it signals that user-level scrutiny of such tools will only intensify as adoption grows.