Claude extensions open a security hole in endpoints

'It is the equivalent of setting your building code to 1234 and then leaving it unlocked '

Image:

Google Calendar becomes an attack path if using Claude Desktop Extensions

A single Google Calendar event can silently compromise a system running Claude Desktop Extensions.

Israel-based LayerX has identified a zero-click remote code execution (RCE) vulnerability in Claude Desktop Extensions (DXT) that an attacker could use to compromise an entire system.

Claude Desktop is a local endpoint-based version of Anthropic’s Claude AI assistant, and Desktop Extensions is a marketplace for add-ons to extend its functionality, similar to browser add-ons.

But unlike browser extensions – which run in a sandbox and lack system access – Claude Desktop Extensions execute without sandboxing and with full host system privileges. That means they can:

Read arbitrary files
Execute system commands
Access stored credentials
Modify operating system settings

Anthropic disputes the claim that extensions run without sandboxing, but LayerX’s principal security researcher Roy Paz explained to The Register:

“By design, you cannot sandbox something if it is expected to have full system access. Perhaps they containerise it but that's not the same thing.

Relative to Windows Sandbox, Sandboxie or VMware, Claude DXT's container falls noticeably short of what is expected from a sandbox. From an attacker's point of view it is the equivalent of setting your building code to 1234 and then leaving it unlocked because locking it would prevent delivery people from coming in and out."

Google Calendar can be used as an attack path to take advantage of this flaw.

In the always-on modern world where calendars quickly fill up with unnecessary meetings, handing off management to an AI assistant is tempting – but also opens up a security hole.

According to LayerX, Claude processes input from public-facing connectors like Google Calendar and then “autonomously determines which installed MCP connectors to use and how to chain them together in order to 'best’ fulfil the request.”

That means a calendar event can be used to give Claude access to malicious instructions that could force it to download, compile, and execute harmful code.

In LayerX’s example, the simple but ambiguous prompt, "Please check my latest events in Google Calendar and then take care of it for me” was all Claude needed to justify executing local code.

Although the vulnerability is severe enough to earn a CVSS score of 10/10, Anthropic has so far not moved to address it. In a statement, the company told LayerX:

“After reviewing your report, we've determined that this falls outside our current threat model. Claude Desktop's MCP integration is designed as a local development tool that operates within the user's own environment. Users explicitly configure and grant permissions to MCP servers they choose to run locally, and these servers have access to resources based on the user's permissions.

“The scenario you've described involves the interaction between multiple MCP connectors that a user has intentionally installed and granted permission to run without permission prompts. Since users maintain full control over which MCP servers they enable and the permissions those servers have, the security boundary is defined by the user's configuration choices and their system's existing security controls.”