Anthropic's Claude Extension Vulnerable to Malicious AI Workflow Triggers
A critical flaw in the **Anthropic** **Claude for Chrome** browser extension could allow malicious extensions to hijack AI workflows, potentially abusing **Claude's** access to sensitive services like **Gmail**, **Google Docs**, and **Salesforce**. Discovered by **Ax Sharma** of **Manifold Security**, the vulnerability stems from the extension's failure to verify the origin of user click events.

A significant security vulnerability has been identified in the **Anthropic Claude for Chrome** browser extension, posing a risk to users who have integrated **Claude** with their online services. The flaw could enable a malicious Chrome extension to programmatically trigger **Claude's** predefined AI actions, bypassing user consent and potentially leading to unauthorized data manipulation or exposure.
### The Trust Issue: Synthetic Clicks
**Ax Sharma** of **Manifold Security** discovered the vulnerability, which revolves around how the **Claude** extension distinguishes between genuine user interactions and programmatically generated events. Chrome extensions with appropriate permissions can inject JavaScript into webpages, allowing them to read, modify, and even simulate user actions like clicks and key presses.
Browsers typically flag events initiated by JavaScript as untrusted (setting `Event.isTrusted` to `false`), differentiating them from real user actions (`Event.isTrusted` set to `true`). However, **Manifold Security's** report details that the **Claude** extension did not check this `Event.isTrusted` property before executing its built-in AI workflows.
This oversight means a malicious extension, with the ability to run code on the `claude.ai` domain, could inject a specific page element and then generate a synthetic click event on it. Despite the browser correctly marking this event as untrusted, the **Claude** extension would process it as a legitimate user command, initiating the corresponding AI action.
### Predefined Workflows at Risk
The attack is limited to the nine predefined tasks embedded within the **Claude** extension. These include:
* **usecase-gmail:** Reading recent **Gmail** messages, identifying promotional emails, and unsubscribing.
* **usecase-gdocs:** Opening the latest **Google Doc**, reading comments and feedback.
* **usecase-calendar:** Reading **Google Calendar**, finding free slots, and creating meetings.
* **usecase-salesforce:** Modifying **Salesforce** leads and converting them to opportunities.
While the vulnerability doesn't allow for arbitrary prompt injection, it grants a malicious extension the power to leverage **Claude's** authenticated access to these connected services. The ultimate impact depends on user settings, particularly if the "Act without asking" option is enabled, allowing workflows to execute automatically.
### Installation of Malicious Extensions Required
It's important to note that this flaw doesn't allow a website to directly compromise the **Claude** extension. Instead, it requires an attacker to first trick a user into installing a separate malicious browser extension capable of executing code on `claude.ai`. Once installed, this rogue extension could then manipulate the webpage and trigger **Claude's** workflows.
### Secondary Finding: `skipPermissions=true`
**Manifold Security** also identified an internal `skipPermissions=true` parameter within the extension, which could bypass certain permission checks. While not directly exploitable on its own, this mechanism could become a vector if combined with another vulnerability allowing for specially crafted URLs.
### Vendor Response and Ongoing Risk
**Anthropic** was notified of both findings through their bug bounty program. They acknowledged the synthetic-click report, stating it was already being tracked as part of a broader issue. The `skipPermissions=true` parameter was classified as informational.
**Manifold Security** confirmed that both vulnerabilities remain exploitable in the latest version of the extension, **1.0.80**, released on July 7, indicating that the content script and side-panel handlers responsible for the flaws are byte-identical to the previous **v1.0.72** source. Users are advised to exercise caution when installing browser extensions and to be aware of the permissions they grant.