Claude Desktop Extension RCE

Claude Desktop Extension leads to a zero-click remote code execution vulnerability based on indirect prompt injection due to a sandbox-less architecture and granting full system privileges to the AI agent. The vulnerability exploits a design flaw in the MCP protocol that lacks trust boundaries, allowing an attacker to achieve arbitrary code execution by contaminating external data sources. Despite the highest risk rating, the vendor refused to fix the vulnerability on the grounds that it was "outside of the threat model," sparking widespread controversy over the division of security responsibilities in the age of AI. This case highlights the fundamental security risks of AI agent systems in terms of privilege control and input validation.
Key points include:
1. High-privilege sandbox-less architecture: Claude DXT runs as a local MCP server, detached from the browser sandbox, inheriting all system privileges from the user, creating a high-risk attack surface.
2. Zero-hit indirect prompt injection: The attacker embedded malicious commands in legitimate data sources such as Google Calendar, inducing the AI agent to obtain and mistakenly execute them on its own, with no user interaction required.
3. MCP Protocol Trust Boundary Failure: The Model Context Protocol allows the output of low-risk operations to directly trigger high-risk system calls, resulting in an "obfuscated agent" vulnerability that makes the AI a springboard for attack.