Detailed Analysis
Anthropic's Claude Desktop application for macOS has been found to silently install a Native Messaging manifest file — `com.anthropic.claude_browser_extension.json` — without disclosing this behavior to users during or after installation. The manifest, placed in browser-specific system directories such as `~/Library/Application Support/Google/Chrome/NativeMessagingHosts/`, pre-authorizes Claude's browser extensions, including Claude for Chrome, to communicate directly with a local binary running at full user OS privileges. Critically, this installation occurs even for Chromium-based browsers not currently present on the user's machine, meaning the bridge is established speculatively for future browser installations. Users on Hacker News confirmed receiving no consent prompts from either Claude or macOS during this process, and Anthropic had issued no public statement addressing the behavior as of the time of reporting.
The technical implications of this architecture are significant. Native Messaging bridges are designed to allow browser extensions to communicate with local desktop applications, but doing so inherently bypasses the browser sandbox — one of the primary security boundaries modern browsers enforce. Through this channel, extensions can potentially read page contents, autofill forms, capture screens, and access authenticated user sessions in ways that normal in-browser extension permissions would not permit. The absence of any user notification or explicit consent mechanism transforms what might be a legitimate feature into a covert modification of unrelated software directories, violating widely accepted principles of software transparency and least-privilege operation.
Security researchers have compounded these concerns by pointing to Claude's documented prompt injection vulnerability, which carries a success rate of 23.6% without mitigations and 11.2% even with them applied. Prompt injection — where malicious content embedded in a webpage or document manipulates an AI model's behavior — becomes substantially more dangerous when a browser extension is bridged to an unsandboxed local binary. A successful injection could theoretically route malicious instructions through the extension to the local executable, granting an attacker capabilities that extend well beyond the browser environment. Privacy consultant Alexander Hanff and Digital 520 founder Noah Kenney have both flagged this attack surface expansion as a meaningful elevation of risk, particularly given how broadly the manifest is pre-installed across multiple Chromium-family browser directories.
This incident arrives at a moment when the AI industry is under heightened scrutiny for the ways frontier model deployments interact with user systems and data. As AI assistants evolve from cloud-based chat interfaces into deeply integrated desktop and browser agents, the surface area of potential security and privacy harms expands proportionally. The Claude Desktop case exemplifies a broader pattern in which features enabling agentic or ambient AI capabilities — screen reading, form interaction, session access — are architected before robust disclosure and consent frameworks are in place. Regulatory bodies, particularly in the EU under the AI Act and existing GDPR frameworks, are likely to view silent system-level modifications of this nature as grounds for formal review.
The practical remediation steps available to affected users — manually locating and deleting the manifest files via terminal commands and auditing pre-authorized extension IDs — underscore the asymmetry between the ease of installation and the difficulty of remediation for non-technical users. The persistence of the manifest across application updates further limits the effectiveness of one-time removal without ongoing monitoring. For Anthropic, the episode represents a reputational and potentially regulatory liability that will likely necessitate either a transparent re-disclosure mechanism built into the installation flow, a formal security advisory, or both. It also raises broader questions about whether the industry's rapid push toward agentic AI deployment is outpacing the development of the consent, transparency, and security infrastructure needed to support it responsibly.
Read original article →