Claude Extension Trust Gaps Persist
Researchers identify lingering security flaws in the Claude for Chrome extension that allow rogue scripts to bypass user intent.
When you integrate an AI agent directly into your browser, you implicitly trust it to manage your sensitive digital footprint. However, recent findings suggest that the Claude for Chrome extension contains architectural vulnerabilities that allow third-party browser extensions to initiate unauthorized tasks, effectively hijacking the assistant’s connection to your personal data.
The Mechanics of Forged User Intent
The core of the issue lies in how the extension handles interactions within the browser DOM. Specifically, it relies on an onboarding button to trigger tasks. The extension’s content script listens for clicks on this element, reads a data-task-id, and subsequently launches the corresponding AI function. Crucially, the system fails to verify the event.isTrusted flag, which distinguishes legitimate user clicks from those simulated by malicious scripts.
Because the extension ignores this browser-level security check, any other installed extension capable of running scripts on claude.ai can inject a synthetic click. This forces the Claude extension to execute pre-defined tasks—such as accessing your Gmail, Google Docs, or Calendar—as if you had manually authorized them. While Anthropic previously restricted these interactions to nine specific task IDs, the underlying flaw remains active in the current software version.
Automation Risks and Critical Ratings
The severity of this vulnerability shifts dramatically based on user configuration. If an individual has enabled the "Act without asking" automation mode, the extension processes these forged requests silently.
- CVSS 7.7 High: The risk level when the extension is in default "ask before acting" mode, where an approval box still appears.
- CVSS 9.6 Critical: The risk level when "Act without asking" is enabled, allowing the tasks to execute without any user intervention.
- v1.0.80: The current version of the Claude for Chrome extension in which researchers confirmed these vulnerabilities persist.
Any other browser extension that can run a script on claude.ai can still trigger Claude for Chrome tasks aimed at your Gmail, your latest Google Doc and its comments, and your Calendar.
— Swati Khandelwal, reporter at The Hacker News
Hidden Paths and Future Exposure
Beyond the forged click mechanism, researchers identified a secondary concern involving the side panel's initialization. The extension can be forced to bypass permission checks entirely if the URL contains the parameter ?skipPermissions=true. While this parameter is currently only set by the extension itself, any future bug that allows a less-privileged context to manipulate this URL could elevate the existing forged-click vulnerability into a full-scale, silent data exfiltration path.
Implications for AI Agency
The persistence of these issues highlights the ongoing struggle to define trust boundaries for browser-based AI agents. By allowing external extensions to influence the Claude panel, the current design creates a "confused deputy" problem where the assistant executes actions for the wrong caller. For users and organizations, the takeaway is clear: any browser extension with permission to read or modify data on claude.ai represents a potential vector for unauthorized interaction.
As of July 14, no official patch has been deployed to resolve these specific flaws. To mitigate immediate risk, users should audit their installed browser extensions and manually disable the "Act without asking" mode within their Claude settings until the developers release a definitive fix.