Anthropic's Claude Desktop silently installs a Native Messaging bridge into seven Chromium browsers, including browsers Anthropic's own documentation says it does not support, and browsers the user has not even installed.
Claude Desktop may be lacking controls and docs on how they integrate with browsers extension, but the write up seems overly dramatic.
It’s not clear any browser extension actually were installed in the browser on the author’s system. Until such extension is installed, the native messenging manifest are inactive, no browser would use them. This standard web technology allow, by design, for specific browser extensions to reach to specific apps outsider the sandbox. A pairing occurs, where the native app allow only specific extensions (cf pre-installed manifest), and the extension request a specific app. Both need to occur to allow the communication.
I would trust neither app nor extension in my system, not without extra sandboxing, as an abundance of caution. But this write-up comes up short of showing spyware behavior.
Claude Desktop may be lacking controls and docs on how they integrate with browsers extension, but the write up seems overly dramatic.
It’s not clear any browser extension actually were installed in the browser on the author’s system. Until such extension is installed, the native messenging manifest are inactive, no browser would use them. This standard web technology allow, by design, for specific browser extensions to reach to specific apps outsider the sandbox. A pairing occurs, where the native app allow only specific extensions (cf pre-installed manifest), and the extension request a specific app. Both need to occur to allow the communication.
Looking at one the extension info on the chrome store, it’s obvious what they do. https://chromewebstore.google.com/detail/claude/fcoeoabgfenejglbffodgkkbkcdhcgfn
I would trust neither app nor extension in my system, not without extra sandboxing, as an abundance of caution. But this write-up comes up short of showing spyware behavior.