According to Infosecurity Magazine, researchers at Koi Security found that three of Anthropic’s official extensions for Claude Desktop were vulnerable to prompt injection attacks. The vulnerabilities, reported through Anthropic’s HackerOne program on July 3 and rated as high severity with a CVSS score of 8.9, affected the Chrome, iMessage and Apple Notes connectors. These extensions are packaged Model Context Protocol servers available from Anthropic’s marketplace that allow Claude to act on behalf of users. Unlike browser extensions that run sandboxed, Claude Desktop extensions run fully unsandboxed with full system permissions, meaning they can read any file, execute commands, and access credentials. The unsanitized command injection vulnerabilities could turn any question to Claude into remote code execution if malicious content was accessed.
Sponsored content — provided for informational and promotional purposes.
Why this matters
Here’s the thing that really jumps out: these weren’t just regular browser extensions. They had full system access. Think about that for a second. We’re talking about extensions that could read your SSH keys, grab AWS credentials, even snatch browser passwords. And the scary part? Claude would just execute these commands thinking it was helping you out.
Basically, if an attacker managed to slip some malicious content into something Claude accessed through these extensions, they could potentially take over your entire machine. That’s not just a theoretical risk – that’s “game over” territory for security.
Broader implications
This situation highlights a much bigger problem in the AI assistant space. Everyone’s racing to make these tools more capable, more integrated with our systems. But are we thinking enough about security? Probably not.
Look, Anthropic isn’t alone here. This is an industry-wide challenge. When you give AI systems the keys to your digital kingdom, you’re creating massive attack surfaces. And honestly, most companies aren’t prepared for the security implications of AI agents with system-level access.
What’s interesting is that Anthropic actually has a bug bounty program through HackerOne, which is how these vulnerabilities got reported. That’s a good sign – they’re at least trying to do security responsibly. But it makes you wonder how many similar vulnerabilities are lurking in other AI assistants that don’t have proper security review processes.
What’s next
So where does this leave us? Well, for starters, users need to be way more careful about which extensions they install for AI assistants. Just because something comes from an official marketplace doesn’t mean it’s safe.
Companies building these tools need to seriously reconsider their security models. Maybe full system access isn’t the right approach. Perhaps we need better sandboxing, or more granular permission systems. The current “all or nothing” approach seems pretty reckless when you think about it.
And for the security community? This is a wake-up call. AI-powered tools are becoming ubiquitous, and they’re creating entirely new attack vectors that most security teams haven’t even considered. It’s going to be a busy few years for security researchers, that’s for sure.
