LayerX, a security company based in Tel Aviv, says it has identified a zero-click remote code execution vulnerability in Claude Desktop Extensions that can be triggered by processing a Google Calendar entry.
Informed of the issue – worthy of a CVSS score of 10/10, LayerX argues – Anthropic has opted not to address it.
Claude Desktop Extensions, recently renamed MCP Bundles, are packaged applications that extend the capabilities of Claude Desktop using the Model Context Protocol, a standard way to give generative AI models access to other software and data. Stored as .dxt files (with Anthropic transitioning the format to .mcpb), they are ZIP archives that package a local MCP server alongside a manifest.json file describing the extension’s capabilities.
The Claude Desktop Extensions hub webpage claims the extensions are secure and undergo security review. “Extensions run in sandboxed environments with explicit permission controls, and enterprise features include Group Policy support and extension blocklisting,” the FAQs explain.
LayerX argues otherwise. According to principal security researcher Roy Paz, Claude Desktop extensions “execute without sandboxing and with full privileges on the host system.”
Paz told The Register, “By design, you cannot sandbox something if it is expected to have full system access. Perhaps they containerize it but that’s not the same thing. Relative to Windows Sandbox, Sandboxie or VMware, Claude DXT’s container falls noticeably short of what is expected from a sandbox. From an attacker’s point of view it is the equivalent of setting your building code to 1234 and then leaving it unlocked because locking it would prevent delivery people from coming in and out.”
Paz says that the vulnerability arises from the fact that Claude will process input from public-facing connectors like Google Calendar and that the AI model also decides on its own which installed MCP connectors should be used to fulfill that request.
The result is that when extensions with risky capabilities like command line access are present, extensions with less concerning capabilities can present an attack vector. In this instance, a Google Calendar event was used to make malicious instructions available to Claude, which the model then used to download, compile, and execute harmful code.
“There are no hardcoded safeguards that prevent Claude from constructing a malformed or dangerous workflow,” Paz claims. “Consequently, data extracted from a relatively low-risk connector (Google Calendar) can be forwarded directly into a local MCP server with code-execution capabilities.”
What Paz is describing is a form of indirect prompt injection – AI models that read webpages, other documents, or interface elements may interpret that content as instructions. This is a known, unresolved problem, which may explain Anthropic’s apparent disinterest in the LayerX report.
[…]
Source: Claude add-on turns Google Calendar into malware courier • The Register
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft