Note: After Antiy CERT released the report “Sand Dune Collapse in the AI Era — Supply Chain Security Challenges under the TeamPCP Attack Model” on June 12, 2026, some netizens responded that they wanted to know more about the security issues of desktop agents. Therefore, we are publishing this previously unpublished report, which uses the unauthorized channel risk of Claude Desktop as an example to analyze the current security risks of desktop agents.

1. Introduction

In April 2026, privacy and security researcher Alexander Hanff publicly disclosed that Anthropic’s Claude Desktop macOS client exhibited highly dangerous silent behavior. Without user authorization, pop-up notifications, or operational prompts, the client automatically writes Native Messaging authorization configuration files to the system directories of Chromium-based browsers: such as Chrome, Edge, Brave, Arc, Vivaldi, and Opera, silently establishing a high-privilege communication channel between the browsers and the local terminal.

This behavior exhibits three core characteristics: proactive pre-installation, full-scenario coverage, and automatic reactivation. Even without the corresponding browser installed on the device, a directory is proactively created and a configuration file is pre-installed; subsequent browser installations automatically activate the authorization channel. After the user manually deletes the configuration file, restarting Claude Desktop automatically regenerates it, achieving persistent persistence. Following the incident’s exposure, security researchers, combining the Claude ecosystem’s PromptInjection vulnerability with the high-privilege call capabilities of the MCP protocol, completed a principle analysis and attack chain deduction, confirming that this structural design flaw possesses the complete preconditions and theoretical feasibility for remote intrusion. Anthropic subsequently added an authorization switch in version iterations, but the underlying permission model and core attack surface were not completely eradicated.

2. Technical Mechanism and Behavioral Analysis

2.1     MCP and Native Messaging Architecture Principles

MCP (Model Context Protocol) has become the standard for bidirectional communication between unified large-scale model applications (AI Agents/IDEs/Dialogue Clients) and external data sources, tools, and business systems. This protocol was open-sourced by Anthropic (the developers of Claude) in November 2024 as a vendor standard and was donated to the Linux Foundation and the Agentic AI Foundation at the end of 2025, and is now an industry-standard specification. As a universal interaction protocol for the Claude series of products, it supports multiple transport layer adaptations and can meet different business scenarios such as local process communication, remote service calls, and browser integration.

Native Messaging is a standard communication mechanism in the Chromium ecosystem, enabling browser extensions to call native executable programs. Under this mechanism, local programs operate completely outside the browser sandbox, possessing full system permissions for the currently logged-in user. They can read webpage DOM data, cookie session credentials, and form usernames and passwords. It supports automated page operations, batch data scraping, and local API calls. As one of the browser’s highest-risk permission interfaces, industry standards require explicit user authorization before activation. Its workflow is as follows: Browser Extension → Communicates via standard input/output (stdio) to Native Messaging Host (local executable file) → Reads configuration file to determine path → Manifest JSON file (located in the browser configuration directory).

The communication mechanisms, application scenarios, and permission boundaries of different transport layers differ significantly. Among them, only the Chromium Native Messaging transport mode binds to the local channel of high-risk browsers, and this is also the core related architecture of this security incident. A comparison of the technical characteristics of each transport layer is as follows:

Table 2‑1 Comparison of Technical Features of Each Transport Layer in MCP

Transmission type	Communication methods	Typical scenarios	Should Native Messaging be used?
stdio	Standard Input/Output (JSON-RPC)	Local inter-process communication	No (direct child process communication)
SSE	Server-Sent Events (HTTP)	Remote MCP Server	No
HTTP/Streamable HTTP	HTTP POST/GET	Remote MCP Server	No
Chromium Native Messaging	Browser extension ↔ Local Host	Browser integration scenarios	Yes (for specific clients only)

Compared to the stdio, HTTP, and SSE transport modes of the MCP standard, the Chromium Native Messaging transport layer has unique technical limitations and security risks. This is the root cause of the high-risk channels silently embedded in Claude Desktop. The core risk characteristics are as follows:

1. Platform-bound characteristics: This transmission mechanism is only compatible with Chromium kernel browsers, covering mainstream terminal browsers such as Chrome, Edge, Brave, and Arc, covering most internet access scenarios on user terminals, and has an extremely wide attack surface.

2. Highly invasive deployment: Unlike the conventional MCP transmission mode, which does not require modification of system configuration, the Native Messaging mode must write a manifest file to the browser’s system configuration directory, which is an intrusive deployment behavior that actively tamperes with the configuration of third-party software.

3. High-risk and special permission model: The Native Messaging Host local process runs completely outside the browser’s security sandbox, holding full operational permissions for the currently logged-in user. Its permission level is far higher than that of standard web pages and extended permissions. Once exploited, it can directly breach the browser’s security boundaries.

4. Closed and concealed invocation scenarios: This channel only supports browser extension-triggered invocation and cannot be recognized and invoked by general MCP clients. Conventional monitoring tools cannot detect the channel’s operating status, making it extremely concealed. At the same time, the exclusive invocation mechanism significantly increases the difficulty of security auditing and behavior tracing.

In summary, the MCP protocol itself is a general AI interaction protocol and does not inherently carry high risks. However, Claude Desktop’s forced default activation and silent deployment of the high-risk Native Messaging transport layer, abandoning the secure and controllable standard transport mode, has created structural security vulnerabilities in the protocol design and product implementation.

2.2     Claude Desktop Silent Preset Behavior Analysis

1. Deployment Logic

Claude Desktop automatically triggers configuration writing logic at two key nodes: software installation and program startup. It traverses all Chromium browser NativeMessagingHosts directories in the system and generates authorization configuration files in batches. Its core risk characteristics are significant: First, it covers seven mainstream browsers indiscriminately, regardless of software version or installation status. Second, it supports proactive pre-emptive embedding, actively creating directories and writing configurations for browsers that are not installed, thus reserving long-term attack entry points. Third, it involves no user interaction throughout the process, skipping all notification, confirmation, and authorization steps, which completely violates industry security interaction standards.

• Mechanism

This configuration file is not a temporary cache file; it belongs to the software’s built-in persistent logic. After a user manually deletes the file, restarting Claude Desktop will trigger the Chrome Extension MCP module to automatically rebuild the configuration. Client logs can fully record the “Native host installation complete” execution history, achieving permanent persistence and making it impossible to completely eradicate through regular manual cleanup. Furthermore, the configuration file is signed with an officially certified certificate, possessing the characteristics of legitimate software, making it difficult for traditional endpoint protection to detect anomalies.

• Path Characteristics

The general deployment path is: ~/Library/Application Support/[browser name]/NativeMessagingHosts/com.anthropic.claude_browser_extension.json. The core configuration of this file includes the absolute path to the local chrome-native-host binary program and the official extension whitelist. All extensions on the whitelist can unconditionally call local high-privilege programs without any dynamic permission verification or behavior auditing mechanism.

Core functional module: Chrome Extension MCP, a dedicated module built into Claude Desktop, is responsible for batch configuration distribution across the entire browser, permission pre-embedding, and automatic file resurrection. All operations are logged on the client side.

Core configuration file, com.anthropic.claude_browser_extension.json, is automatically generated and persistently maintained by Claude Desktop. It includes three official extension whitelist IDs, allowing corresponding extensions to unconditionally call the local chrome-native-host binary without secondary permission verification. The following configuration should be added to com.anthropic.claude_browser_extension.json:

{

“name”: “com.anthropic.claude_browser_extension”,

“description”: “Claude Browser Extension Native Host”,

“path”: “/Applications/Claude.app/Contents/Helpers/chrome-native-host”,

“type”: “stdio”,

“allowed_origins”: [

“chrome-extension://dihbgbndebgnbjfmelmegjepbnkhlgni/”,

“chrome-extension://fcoeoabgfenejglbffodgkkbkcdhcgfn/”,

“chrome-extension://dngcpimnedloihjnnfngkgjoidhnaolf/”

]

}

2.3     Original Design Intent and Control Reversal Risk Mechanism

Based on preliminary analysis and assessment, Claude Desktop’s customized MCP-over-Native Messaging channel is a forward-looking business design for the vendor, primarily intended to address the shortcomings of the standard MCP protocol in adapting to browser scenarios. The original architecture was designed as a local AI-controlled browser security model, aiming to enhance AI-assisted office capabilities. On one hand, it can read webpage context and parse page data to achieve intelligent functions such as webpage summarization, content extraction, and code analysis; on the other hand, it supports lightweight automated browser operations, completing auxiliary tasks such as page recording and batch business processing. To lower the user’s operational threshold and reduce authorization pop-up interference, the vendor chose to silently pre-embed browser Native Messaging authorization configurations and pre-authorize official extension whitelists, prioritizing user experience in the design to achieve functional adaptation, thus creating structural security vulnerabilities.

However, this business channel can be maliciously exploited due to three design flaws that overturn the original one-way trust architecture, resulting in a reversal of control over permissions. First, the trust boundary design is uncontrolled; the client silently embeds a permanent whitelist authorization across the entire domain, allowing high-privilege channels to be invoked at any time without user installation of extensions or explicit authorization, leaving the terminal in a long-term dormant state. Second, the AI input validation mechanism is lacking; Claude automatically collects webpage content as the Prompt context by default, which cannot resist malicious payloads embedded in webpages and can be used by the PromptInjection vulnerability to tamper with the AI decision-making logic. Third, local process permissions are excessively granted; chrome-native-host, outside the browser sandbox, holds full-device user permissions, and combined with the MCP protocol’s ability to invoke system-level operations, the scope of permissions far exceeds the essential needs of browser-assisted business. These combined flaws cause the legitimate AI browser control channel to become a terminal intrusion entry point that can be exploited externally.

3. Security Risks and Privacy Impact Analysis

3.1     Capability Boundary Analysis

According to the Anthropic official documentation, once the Native Messaging Bridge channel deployed silently by Claude Desktop is activated, it can bypass browser sandbox restrictions and gain access to multiple high-privilege browser operation capabilities, covering core scenarios such as page access, authentication, data reading, and automated operations. Details of each capability and its risk level are as follows:

Table 3‑1 Detailed Capabilities of the Claude Desktop Native Messaging Bridge

Capability categories	Detailed description	Risk level
Browser automation	Supports automatically opening new browser tabs and automating multi-site continuous workflow operations without manual user interaction.	High
Authentication status sharing	It can directly read and reuse the session state and login credentials of all websites the user has logged into, allowing the user to access the corresponding site with legitimate identity.	High
DOM state reading	Completely read the webpage’s DOM structure, page source code, frontend logs, and console error messages to obtain all static and dynamic data of the page.	Middle
Data extraction	Intelligently parses webpage content, batch extracts structured text, data forms, and image/text information, and saves them to the local terminal.	Middle
Form autofill	Automatically reads locally stored form data, usernames, and passwords to complete the automatic filling, data entry, and submission of web forms.	High
Session recording	The entire process of recording user browser interactions and page operations is automatically generated into a GIF video and saved locally.	Middle

If a user is logged into sensitive websites such as banks, medical institutions, government agencies, enterprise back-end systems, or confidential office sites on their device, the Native Messaging Bridge can directly reuse the user’s legitimate session identity to access various sensitive business systems without any notice. Furthermore, it completely bypasses the browser’s native security sandbox isolation mechanism, without any pop-up prompts or permission verifications, posing an extremely high risk of privacy leakage and business security breaches.

3.2     Attack Surface Risk Analysis

Combining product design flaws with publicly available vulnerability data, this pre-embedded channel generates multiple attack surfaces that can be implemented, breaching conventional browser security protection systems and creating a highly covert and successful composite attack risk, as detailed below:

1. Prompt Injection: High Risk

According to publicly available test data from Anthropic, even with the platform’s built-in security mitigation measures enabled, the success rate of message injection attacks on Claude for Chrome products can still reach 11.2%. The silently embedded Native Messaging Bridge is the core attack surface of this attack chain. Attackers can trigger message injection vulnerabilities by constructing malicious web pages and inducing AI to load malicious content, thereby tampering with the AI’s execution logic and ultimately calling a local high-privilege channel to escalate terminal privileges, breaching both the terminal and browser security boundaries.

• Risks of Pre-set Extension ID Leaks and Forgery Attacks

Claude Desktop’s automatically generated configuration manifest is hard-coded into three sets of official Chrome extension whitelist IDs, posing a significant security risk. Due to Chrome extension developer signing and app store mechanisms, attackers cannot directly forge malicious extensions with the same IDs for distribution through official channels. However, they can use publicly available extension identifiers to create phishing attacks. If users are tricked into manually installing malicious extensions from unofficial channels, pre-authorized Native Messaging permissions can be used to bypass some security controls, enabling attacks such as browser configuration hijacking, user session theft, and website defacement.

• Cross-Vendor Trust Boundaries Completely Destroyed

This design completely breaks the security boundaries and trust isolation principles of internet software vendors. Anthropic’s Claude Desktop client can tamper with the core configuration directories of independent browser vendors such as Brave, Edge, and Chromium without authorization or awareness, forcibly pre-installing high-privilege communication channels. The core risk lies in the fact that even if the user’s terminal does not have any official Anthropic browser extensions installed, the system has already completed the pre-configuration of permissions, and this high-privilege communication channel is in a dormant, ready-to-be-activated state, severely impacting the existing trust and security protection system of the terminal software.

3.3     System-Level Risk Analysis

This Native Messaging communication channel leverages macOS system features to achieve deep, covert persistence, circumventing native system monitoring, permission management, and security auditing mechanisms. Regular users and basic endpoint protection tools are unaware of its operation and existence. Specific covert characteristics are as follows:

Table 3‑2 Covert Features of macOS System’s Native Messaging Communication Channel

Detection dimensions	Detailed description
Process visibility	The Native Messaging Host process is dynamically invoked by the browser on demand. It only runs temporarily when communication is triggered and is not permanently listed in the system process list. Users cannot detect abnormal processes through activity monitors or command-line process searches, making it extremely stealthy.
Permission UI circumvention	This high-privilege communication channel is not included in the macOS system’s standard permission management system and will not be displayed in the system’s visual UI such as “Privacy&Security”, “Full Disk Access”, and “File and Folder Permissions”. Users cannot intuitively view or control this permission, making it a hidden privilege channel.
Anonymity of online activities	The channel relies on the system’s standard stdio mechanism to complete data communication between the browser and local programs. It does not generate independent external or internal network connections, and abnormal traffic cannot be captured by firewalls, network monitoring tools, or traffic auditing devices, rendering conventional network protection completely ineffective.
Document traceability features	The configuration file comes with the macOS system’s com.apple.provenance extended property, which can accurately trace the file’s origin to the official Claude Desktop program. It has no third-party tampering characteristics and is easily identified as a legitimate and trustworthy file by security devices, further evading security detection.

4. Chain Reaction of Security Risks for Desktop Agents

4.1     Desktop Agents Are Entering a Period of Risk Outbreaks

The recent security incident involving Claude Desktop’s silent pre-embedded high-privilege communication channels and uncontrolled permission boundaries, which could lead to reverse hijacking, is not an isolated case, but rather an inevitable event in the rapid iterative development of general desktop AI agents. Currently, the global desktop agent market is booming, exhibiting an unbalanced development trend characterized by “rapid feature iteration, lagging security systems, and lax permission control.” In their rush to seize the intelligentization market and build core competitiveness in AI-automated office work, major vendors generally prioritize user experience, feature richness, and ease of use over security boundary control, repeating the historical trajectory of internet clients that prioritize capabilities over security, experience over compliance. Compared to the relatively mature security baselines of least privilege, explicit authorization, boundary isolation, and auditable behavior in operating systems and software security concepts, new desktop agents generally neglect terminal security standards in their design, recklessly demanding high system privileges, unauthorizedly modifying third-party application configurations, pre-embedding hidden communication channels, and weakening user awareness and authorization mechanisms, completely breaking down the trust and isolation system of terminal software. Unlike traditional applications that only execute corresponding operations when actively triggered by the user, desktop AI agents possess novel capabilities such as autonomous perception, proactive reading, continuous monitoring, and automated decision-making. They can silently collect core privacy information such as web page data, local files, and browsing sessions. If security verification mechanisms are lacking, they can easily form a persistent attack surface that can be exploited externally. The issues exposed in this incident—such as the lack of protection against AI prompt injection, pre-embedded cross-software permissions, and unrestricted execution of high-privilege processes— are widespread in desktop AI agents, inevitably making these security vulnerabilities a significant attack surface.

4.2     Software Supply Chain Risks Continue to Be Amplified in Artificial Intelligence Scenarios

Like Claude Desktop and Codex, designed for R&D and research teams, are deeply embedded in the entire enterprise software development chain. They not only possess high-privilege capabilities such as complete local file reading and writing, terminal execution, and directory traversal, but also serve as crucial intermediate nodes connecting requirements analysis, code development, version iteration, and documentation. Deeply integrated into the enterprise’s internal supply chain system, once an attacker compromises this client, it will cause multi-layered and irreversible chain reactions of harm to the software supply chain. From an asset theft perspective, attackers, leveraging the tool’s high-privilege local access, can directly traverse local code repositories, requirement documents, interface solutions, core algorithm prototypes, and other confidential technical assets, exporting non-open-source core source code and proprietary technical solutions in bulk, resulting in the loss of core intellectual property rights. Simultaneously, by utilizing the database and knowledge base services connected via the tool’s built-in MCP protocol, attackers can horizontally read underlying business data and architectural design drawings, completing the harvesting of technical intelligence across the entire chain. From the perspective of supply chain poisoning risks, this tool can directly manipulate Git branches, compilation scripts, and packaging and release configurations. After intrusion, attackers can silently pre-embed hidden logical vulnerabilities in the source code, insert backdoor call interfaces, or create private development branches carrying Trojans. During the local compilation, testing, and packaging process, the build scripts are tampered with, allowing programs carrying malicious payloads to flow into the internal testing environment and eventually flow to downstream customers and partner vendors with the official release version.

This type of risk differs from ordinary office software intrusion. Its attack targets the source of software production, with vulnerabilities and Trojans embedded in the underlying development process. Conventional online scanning and code auditing are insufficient to trace and identify them. Malicious code can spread throughout the entire upstream and downstream supply chain along with software delivery, causing secondary security incidents such as customer data leaks and control of business systems, forming a supply chain security crisis that spreads from the source to the entire domain.

5. Summary: Address the Inevitable Security Degradation Accompanying Emerging Technology Inflection Points

This incident involving Claude Desktop’s silent pre-installation of a high-privilege Native Messaging channel highlights the tortuous nature of security system evolution. A very typical pattern is that every major revolution in information technology often stems not solely from technological innovation, but rather from its initial adoption due to convenience. This inevitably leads to two consequences: existing security frameworks are seen as stumbling blocks by new applications, and historical vulnerabilities reappear in new scenarios. For example, the widespread adoption of DOS and PCs accelerated the system security revolution, but also rendered the security paradigm of commercial UNIX obsolete; almost all the security pitfalls and threat patterns of the PC era were reproduced without exception in the early development of smartphones.

The era of desktop agents has developed a preliminary, mature security mechanism based on the losses and lessons learned from numerous threat incidents. This mechanism, built upon the von Neumann general-purpose computing architecture, incorporates the spatial isolation security concept of the Harvard architecture, establishing a layered isolation framework for processes, resources, and data, covering everything from the operating system to application software. Through sandboxing, hierarchical permission systems, explicit authorization, and isolation of third-party application configurations, it constrains the privilege scope of individual programs, constructing a basic security order where multiple software components do not intrude and their operations are auditable. However, tempted by convenience, users often dismantle the security barriers built from countless painful lessons — especially after repeated authorization confirmation prompts, most people choose to grant permanent authorization.

The widespread adoption of AI-powered agents has reshaped the logic of human-computer interaction, leading to a growing demand for automation and one-stop collaboration. To cater to this demand for convenience, product designs tend to streamline cross-software interaction links and weaken multi-layered authorization verification, bypassing long-established security plans that isolate hardware, software, and data. Taking this incident as an example, to achieve browser integration capabilities, the vendor tampered with the core configurations of multiple third-party browsers without the user’s knowledge, pre-installed communication channels with permanent global trust, and opened up high-level machine privileges (out of the sandbox) to cross-program interaction interfaces, breaking down the trust barriers between different software vendors.

The unique operational logic of AI-powered agents further amplifies the weaknesses of the entire isolation framework: the agent proactively reads external page content as input context, allowing external payloads to intervene in its execution and decision-making processes; its accompanying interaction protocol possesses the ability to invoke underlying system operations. Once the pre-embedded high-privilege channel is in a dormant state, malicious external payloads can leverage existing legitimate business processes to achieve privilege escalation, enabling actions such as browser session theft, bulk reading of sensitive data, and identity impersonation to operate business systems. The entire attack chain is covert, without pop-up warnings, making it difficult to detect and trace using conventional endpoint protection methods.

In this incident, although the vendor subsequently added an authorization interaction pop-up, the core architecture, including the underlying permission and trust model, cross-software pre-embedded channels, and input link protection, was not reconstructed. The persistent attack surface resulting from the breach of the security isolation framework was not eradicated. Desktop AI agents have evolved from ordinary application software into infrastructure deeply integrated into all terminal scenarios. Traditional isolation, authorization, and auditing systems built for ordinary software are no longer suitable for this new computing power carrier. The unverifiable underlying operating logic of intelligent tools and the lack of control over implicit permission links pose supply chain security risks in critical industry scenarios.

This incident also serves as a reminder that in scenarios requiring strong technological autonomy, the technological autonomy and security controllability of desktop agents are just as important as the model itself. As desktop agents worldwide gradually take over systems in a slow, gradual manner, driven by users’ pursuit of convenience, we, as long-term security enablers, want to explore a path for Chinese desktop agents that prioritizes security and controllability.

Appendix 1: References

• Alexander Hanff: Anthropic secretly installs spyware when you install Claude Desktop (2026-04-18).

https://www.thatprivacyguy.com/blog/anthropic-spyware/

• Toxsec: Is Claude Code Secretly Installing Spyware? (2026-04-27).

https://www.toxsec.com/p/is-claude-code-spyware

• Antiy: Claw Havoc Analysis of Large-Scale Poisoning Campaign Targeting the OpenClaw Skill Market for AI Agents (February 26, 2026)

https://mp.weixin.qq.com/s/Rj0uk1AXdPW1PnuaRfxA1A