LayerX, a security company based in Tel Aviv, says it has identified a zero-click remote code execution vulnerability in Claude Desktop Extensions that can be triggered by processing a Google Calendar entry.
Informed of the issue – worthy of a CVSS score of 10/10, LayerX argues – Anthropic has opted not to address it.
Claude Desktop Extensions, recently renamed MCP Bundles, are packaged applications that extend the capabilities of Claude Desktop using the Model Context Protocol, a standard way to give generative AI models access to other software and data. Stored as .dxt files (with Anthropic transitioning the format to .mcpb), they are ZIP archives that package a local MCP server alongside a manifest.json file describing the extension’s capabilities.
The Claude Desktop Extensions hub webpage claims the extensions are secure and undergo security review. “Extensions run in sandboxed environments with explicit permission controls, and enterprise features include Group Policy support and extension blocklisting,” the FAQs explain.
LayerX argues otherwise. According to principal security researcher Roy Paz, Claude Desktop extensions “execute without sandboxing and with full privileges on the host system.”
Paz told The Register, “By design, you cannot sandbox something if it is expected to have full system access. Perhaps they containerize it but that’s not the same thing. Relative to Windows Sandbox, Sandboxie or VMware, Claude DXT’s container falls noticeably short of what is expected from a sandbox. From an attacker’s point of view it is the equivalent of setting your building code to 1234 and then leaving it unlocked because locking it would prevent delivery people from coming in and out.”
Paz says that the vulnerability arises from the fact that Claude will process input from public-facing connectors like Google Calendar and that the AI model also decides on its own which installed MCP connectors should be used to fulfill that request.
The result is that when extensions with risky capabilities like command line access are present, extensions with less concerning capabilities can present an attack vector. In this instance, a Google Calendar event was used to make malicious instructions available to Claude, which the model then used to download, compile, and execute harmful code.
“There are no hardcoded safeguards that prevent Claude from constructing a malformed or dangerous workflow,” Paz claims. “Consequently, data extracted from a relatively low-risk connector (Google Calendar) can be forwarded directly into a local MCP server with code-execution capabilities.”
What Paz is describing is a form of indirect prompt injection – AI models that read webpages, other documents, or interface elements may interpret that content as instructions. This is a known, unresolved problem, which may explain Anthropic’s apparent disinterest in the LayerX report.
In this case, Paz found that when Claude is directed to process a Google Calendar event (enabled by an extension), it will carry out malicious instructions contained therein if it has access to relevant MCP tools (e.g. Desktop Commander, an MCP server for granting terminal access).
Paz presented Claude with the prompt, “Please check my latest events in google cal and then take care of it for me,” so the AI model scanned the event, saw a task containing instructions to download, compile, and launch the proof-of-concept code, and then carried out that task.
“This requires no user interaction, no confirmation prompt, and no explicit request for system-level automation,” Paz said in his post. “The result is a full remote code execution, meriting a CVSS score of 10/10.”
The risk for Claude users is that some miscreant might send a Google Calendar invitation that contains instructions to fetch malware. All that would be required to trigger the vulnerability would be to ask Claude to handle the event and for Claude to have terminal access, assuming no other mitigations have been implemented.
According to Paz, “LayerX approached Anthropic with our findings, but the company decided not to fix it at this time.”
Paz provided us with a copy of Anthropic’s response to the vulnerability report:
After reviewing your report, we’ve determined that this falls outside our current threat model. Claude Desktop’s MCP integration is designed as a local development tool that operates within the user’s own environment. Users explicitly configure and grant permissions to MCP servers they choose to run locally, and these servers have access to resources based on the user’s permissions.
The scenario you’ve described involves the interaction between multiple MCP connectors that a user has intentionally installed and granted permission to run without permission prompts. Since users maintain full control over which MCP servers they enable and the permissions those servers have, the security boundary is defined by the user’s configuration choices and their system’s existing security controls.
The Register asked Anthropic to comment but we’ve not heard back. ®
