Claude Desktop installs undocumented browser extensions for Chrome and other browsers
87 points by jmillikin
87 points by jmillikin
I ... think this might be FUD?
There's no evidence here of Claude installing a browser extension. It's installing a manifest file that would allow an identified extension - if installed by the user - to coordinate with the binary on the machine. It provides no capabilities to Claude or the browser without that extension being added.
That's very normal, and done by other applications too (e.g. 1Password has a manifest in $HOME/Library/Application Support/Microsoft Edge/NativeMessagingHosts on my machine, even though I do not have Edge installed). If it was not done, how could the application or extension know about each other?
edit: seriously, this ask:
Install the NM manifest only as a downstream consequence of the user affirmatively installing the paired browser extension.
is nonsense. There's no mechanism for a browser to install a NM manifest alongside an extension. The application must register the manifest, and necessarily can't know about the extension-installed event, because that would be interfering with the browser. The way to do this would be to use the native messaging bridge to receive the installation event, which they could do by installing a native messaging manifest file when installing the desktop app...
Right, as I understand it, Claude Desktop is explicitly not installing "undocumented browser extensions".
I do think it's reasonable to require the user to opt-in before setting up the native messaging side of things, e.g. KeePassXC requires you to explicitly opt-in as to which browsers it should set up the native messaging configuration for instead of writing to all of them unconditionally. But I'm not surprised that Claude or 1Password don't ask since it's just one more step, and theoretically users opt-in via installing the browser extension.
Is it nonsense though? Since I am fairly sure I have seen extension ask for permissions to do things similar to this.
Even if the extension physically isn't able to do it you can still do this in various other ways. Ways I have also seen like a simple popup on extension installation. Along the lines of "for this extension to work you also need to enable it in claude desktop, this will install a manifest". Something along those lines anyway.
But, doing it right takes effort and critical thinking through things like this. My experience with Anthropic products (and that of many LLM vendors for that matter) is that UX isn't something that is considered too closely and subject to change on a regular basis anyway.
To be clear, I am not hinting at them vibe coding it. This has been an issue from well before their products were actually close to be able to do a competent job. I see it more as a product of these companies being in a constant scramble to keep the hype as hyped up as possible.
The consent is given when you install the extension that uses the native messaging client. It requires you agree to grant a permission called "Communicate with cooperating native applications".
Along the lines of "for this extension to work you also need to enable it in claude desktop, this will install a manifest". Something along those lines anyway.
I guess I don't see what harm there is in adding an unused registry entry/manifest file. It does exactly nothing unless and until the extension is installed. It's not like the extension page hides that it connects to the desktop app or takes control of the browser.
It's not the question about the harm, but that of the consent. A simple popup ("key, we want to link up to your browsers extensions") would do.
Well, fuck me:
❯ find **/NativeMessagingHosts -name 'com.anthropic.claude_browser_extension.json' -type f
Arc/User Data/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
BraveSoftware/Brave-Browser/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
Chromium/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
com.operasoftware.Opera/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
Google/Chrome/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
Microsoft Edge/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
Vivaldi/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
I understand why it's there functionally, but the lack of respect for any kind of consent process to doing this is bewildering and unsettling.
I only installed the application for the first time in last 2 weeks and couldn't even successfully sign in, but I did open it once and yeah no request for permissions.
I understand why it's there functionally, but the lack of respect for any kind of consent process to doing this is bewildering and unsettling.
This manifest file does not give Claude any access to your browser, it only enables the browser extension, if installed, to communicate with the desktop app. Presumably you consented to installing the application. If you installed the browser extension, you'd give consent to do so.
If it had silently installed the extension your concern would make sense to me; that's code running in a context you didn't expect. But without the extension installed, the manifest file does nothing.
Where would you like to have been asked for consent that you weren't?
I realise that, but it doesn't change the ethical perspective for me.
Where would you like to have been asked for consent that you weren't?
Any time before they actually did the thing would have been an improvement. I also would have preferred to have specified which browsers because if I were to use these features (which I never did and didn't plan to), I would want to know exactly which browsers' sessions were exposed. I could have established a dedicated browser for its use that was distinct from my daily driver and exerted a little more control and visibility into its access.
Yes, you might say that I get that control by which browsers I install the extension into and you would be technically correct, but it not a respectable enough bar.
Any time before they actually did the thing would have been an improvement.
What's "the thing" here? Put a support file on disk during installation?
Yes, you might say that I get that control by which browsers I install the extension into and you would be technically correct, but it not a respectable enough bar.
To me, just saying "it's not a respectable enough bar" does not meet any respectable bar. Why isn't it acceptable for that to be the point at which consent is given or withheld?
the lack of respect for any kind of consent process to doing this is bewildering and unsettling
They and other AI firms scrape the entire internet relentlessly (to the extent of being functionally a DDoS attack) and have stolen every scrap of real, creative human output to train their models.
As far as I'm concerned, this is extremely unsurprising and exactly the kind of disrespect the people who use and therefore legitimize these tools deserve. The fox asked to be let into the henhouse and you said "sure, go right ahead!"
Yes I agree. Bewildering, yes, but surprising, no. I suppose it just feels like a particularly personal violation when on your own machine.
I mean, sucks for you, but you did actually invite this kind of thing into your life by doing that.
Exactly, what the hell. Apart from Google Chrome (and Firefox, which isn't in the list below) I don't even have any of these other browsers installed!
$ fd claude_browser_extension.json ~/Library
/Users/miguno/Library/Application Support/BraveSoftware/Brave-Browser/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
/Users/miguno/Library/Application Support/Vivaldi/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
/Users/miguno/Library/Application Support/Arc/User Data/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
/Users/miguno/Library/Application Support/Microsoft Edge/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
/Users/miguno/Library/Application Support/com.operasoftware.Opera/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
/Users/miguno/Library/Application Support/Chromium/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
/Users/miguno/Library/Application Support/Google/Chrome/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
Which, after some investigation (to e.g. confirm that my local .json files were identical to the contents shown in the original post), I deleted with:
$ fd claude_browser_extension.json ~/Library -x rm
Edit: I also checked Claude Desktop > Settings > Extensions. Not a single word or mention of these aforementioned extensions for browsers. I have zero Claude Desktop extensions installed and, without reading the article, would have never guessed that these extensions for browsers were installed.
Claude Desktop repeatedly installed/updated these 7 extensions since the beginning of February on my Apple machine. Every entry in the filtered log below is for all 7 extensions:
$ grep "Installed native host manifest" ~/Library/Logs/Claude/main.log | sed -e 's/ at \/Users\/.*//' | awk '{ print $1" "$2 }' | sort -n | uniq
2026-02-04 18:53:21
2026-02-04 23:33:26
2026-02-04 23:34:20
2026-02-04 23:34:27
2026-03-16 09:29:18
2026-03-17 11:52:22
2026-03-18 22:22:22
2026-03-19 14:49:34
2026-03-20 09:42:03
2026-03-20 10:10:39
2026-04-02 22:50:26
2026-04-02 22:57:56
2026-04-10 19:38:38
2026-04-10 19:40:51
2026-04-12 18:52:36
2026-04-12 19:10:04
2026-04-12 20:07:21
2026-04-15 12:19:46
2026-04-15 12:20:16
2026-04-15 12:29:45
2026-04-16 22:15:47
2026-04-16 22:24:19
2026-04-18 10:58:13
2026-04-18 15:06:54
TL;DR: Uninstalled Claude Desktop.
fwiw they did not install the extension so there was never any real threat... they installed a manifest that allows an extension you install separately to interact with claude desktop. they should prompt you about it but they probably vibe coded this slop in the first place and not using best practices.
I am getting annoyed by people (not you personally) stating 'it was vibe coded' as if it was an excuse and as if there weren't people behind it who decided to vibe code.
I assume some form of LLM participation in most code anyways by now and if not discussing vibe coding itself I think it's moot to mention it. It's just people writing bad code by whatever means they chose.
Note: You can check in your firefox profile to git. This has let me restore my sessions some times after bad crashes so I didn't have to reach for backups. But it also lets you track extensions installed or updated.
When or how do you commit it? Like just when you remember or is it automated?
And what's your general backup strategy? I have my Firefox profile backed up with https://www.borgbackup.org every night for example.
Manually, so I take note of what's changed. I just have some rsync scripts for local backups, borg would probably be better.
Or just sync it with a Firefox account. Wouldn't help against this particular issue, of course.
I do have sync, but I've still managed to lose sessions (that is, open tabs). Of course, it's probably a good thing that I lose my hoard every so often..
I wish the author didn't run this text through an LLM; there's a lot of distracting cruft here such as the following hyperbole:
What Anthropic chooses to do next matters. A company cannot credibly claim to support human rights, as Anthropic have done in arguing against the use of their technology for war, and in the next breath undermine the fundamental human rights to privacy and data protection.
As far as I can tell, Anthropic had no issue with supporting US war efforts until they were asked to implement fully autonomous lethal weapons and domestic mass surveillance. Even if we disregard that, I don't think installing a manifest file and war are at all comparable things?
As far as I can tell, Anthropic had no issue with supporting US war efforts until they were asked to implement fully autonomous lethal weapons and domestic mass surveillance.
Non sequitur.
Peace.
I didn't make a value statement about Anthropic. What I take issue with is that the author is depicting Anthropic as more virtuous than they are by making the unsubstantiated claim that they're against using their technology for war. This false premise is then used to support the author's closing statement.
I am also saying that this issue shouldn't have been brought up in the first place—but the author did, so I think it's fair to call it out.
I appreciate the calm, reasoned response. Thank you. I still disagree with you posting what you did, but I also recognize that you have a valid point that might be relevant to some who are reading this discussion. Also, being a fallible human, I fully recognize that I may simply be flat out wrong in my own opinion as to what should or should not be part of a given discussion.
Don't worry about it. I am here to learn, and disagreeing opinions give me much to think about. So likewise, I appreciate your input.
Installing a native messaging host manifest seems to be a bit of a nothing burger, the fear mongering at the end about extensions and interactions with claude desktop doesn't seem very convincing to me either. Calling it spyware at that point just makes me annoyed at the blogpost being a hyperbolic hitpiece with little actual content.
Did you miss this bit?
That is explicit authenticated session access, DOM state read, form filling, and screen capture, described by Anthropic on their own documentation site. If I have my bank open in a tab, the bridge's documented capabilities include reading it as me. If I have Tax, or my Health portal, or a client's Slack, or an admin console to production infrastructure, the documented capabilities include acting as me there.
The bridge runs outside the browser's sandbox at user privilege level [1], and Native Messaging hosts do not surface in any standard macOS process or permission UI, they are invoked by the browser and communicate over stdio.
Seems pretty spyware-ish to me
The bridge only gets authenticated sessions, DOM state etc from the extension, where the extension is installed. These permissions are disclosed for the extension just like any other browser extension. The manifest does not give Claude any permissions, it only permits communication between two explicitly installed applications (the desktop app and the extension).
I did see that part and I disregard it. It's alarmist at best. Spyware is a type of malware, it's intentions are malicious by nature with the full intent to harm the user, directly or indirectly.
Is what Anthropic is doing super kosher and great? Probably not.
Is it actively and intentionally malicious with the goal of harming the user? Definitely not.
Frankly the blogpost is more harmful to the user than Anthropic's Claude Desktop because it dilutes actual messaging about malware that users can benefit from.
The intention to harm can be carried by a poisoned prompt.
And so can it be carried by a malicious executable, that doesn't make the kernel malicious for running it. The poisoned prompt becomes malware or spyware.
Expanding the definition of malware to also include "later on someone with malicious intentions can use this for malicious deeds" is silly and useless.
Expanding the definition of malware to also include "later on someone with malicious intentions can use this for malicious deeds" is silly and useless.
Eh. If software messes with my machine in ways I didn't ask for, and as a result opens up a vulnerability that wasn't here before, I'd be pretty miffed - maybe I wouldn't call it malware, because that implies malicious intent, but certainly it's in the broader category of Software I Would Prefer Was Nowhere Near My Computer Thank You Very Much. Old versions of AppsAnywhere are a good example here.
That being said, I think this comment probably has the right take here, and there are much better reasons to be angry at Anthropic.
I agree, the linked comment is a much better take. It's not in great taste, not malware, there is worse out there and the argument it's malware only muddies the discussion.
It would be nice to have something like OpenSnitch but for disk writes instead of network requests
It would also be nice to run on an OS where it's impossible by default for one app to do anything outside of its OS-allocated area without explicit consent by the user. 🤔
For the non-technical reader, this is… [explanation only a technical reader could follow]
Others are more qualified to comment on the rest, but I had to laugh here.