A zero-click vulnerability in Claude Desktop Extensions allows attackers to execute remote code through Google Calendar invites, exposing more than 10,000 users to system compromise.
Security firm LayerX discovered the flaw earlier this month, which affects over 50 extensions distributed through Anthropic's marketplace. The vulnerability earned a CVSS 10/10 severity rating, the maximum possible score.
Unlike traditional browser extensions that operate in sandboxed environments, Claude Desktop Extensions run unsandboxed with full system privileges. This architectural difference creates a critical security boundary failure, according to LayerX principal security researcher Roy Paz.
"Claude Desktop Extensions execute without sandboxing and with full privileges on the host system," Paz wrote in his analysis. "As a result, Claude can autonomously chain low-risk connectors like Google Calendar to high-risk local executors without user awareness or consent."
The attack requires no user interaction beyond a routine prompt. When a user asks Claude to "check my latest events in Google Calendar and then take care of it for me," the AI assistant interprets the vague instruction as authorization to execute commands embedded in calendar events.
Attackers can exploit this by creating Google Calendar invites containing malicious instructions in event descriptions. LayerX demonstrated a proof-of-concept where a calendar event titled "Task Management" contained instructions to pull code from a GitHub repository, save it locally, and execute a makefile.
"If exploited by a bad actor, even a benign prompt like 'take care of it,' coupled with a maliciously worded calendar event, is sufficient to trigger arbitrary local code execution that compromises the entire system," LayerX researchers stated.
The vulnerability stems from Anthropic's Model Context Protocol architecture, which allows Claude to autonomously select and chain together multiple tools to fulfill user requests. This design lacks safeguards preventing the AI from constructing dangerous workflows that bridge low-risk data sources with high-privilege execution contexts.
Anthropic declined to address the vulnerability, telling LayerX the issue "falls outside our current threat model." The company maintains that Claude Desktop's MCP integration operates as a local development tool where users control which servers they enable and what permissions those servers have.
"Users explicitly configure and grant permissions to MCP servers they choose to run locally," Anthropic stated. "The security boundary is defined by the user's configuration choices and their system's existing security controls."
Security researchers dispute this framing, arguing the architectural design itself creates unacceptable risk. Paz compared Claude's security approach to "setting your building code to 1234 and then leaving it unlocked because locking it would prevent delivery people from coming in and out."
The controversy highlights broader questions about responsibility in AI security. While Anthropic frames the issue as user responsibility comparable to installing third-party software, security experts argue AI desktop applications should implement stronger safeguards by default.
For enterprise security teams, the vulnerability creates a persistent remote code execution pathway in tools marketed for general productivity. Calendar integration alone provides attackers with a zero-click delivery mechanism that bypasses traditional security controls.
LayerX reported the vulnerability to Anthropic on February 9, but the company has not indicated plans for remediation. The security firm recommends organizations avoid using MCP connectors on security-sensitive systems until proper safeguards are implemented.
The vulnerability affects current versions of Claude Desktop Extensions, though Anthropic has not released patches and has declined to address the issue. Users can mitigate risk by disabling high-privilege extensions, restricting AI agents from executing local commands by default, and implementing application allowlisting controls.
