In a technical analysis by LayerX Security published on Monday, researchers said Claude Desktop Extensions (DXT) run unsandboxed with full system privileges, creating a critical zero-click remote code execution vulnerability that can be triggered by a malicious Google Calendar entry.
KEY FACTS
- Incident a critical zero-click RCE in Claude Desktop Extensions
- Privileges DXT runs unsandboxed with full system privileges
- Attack vector a malicious Google Calendar invite can trigger arbitrary local code execution
- Disclosure researchers notified Anthropic and the company did not apply a fix at this time
The report describes how DXT can autonomously chain low-risk connectors such as Google Calendar to high-risk local executors without user awareness or consent, creating system-wide trust boundary violations in agentic workflows.
The analysis tested DXT against other agent implementations and found a difference in behavior. Alternatives were observed to request user permission when an agent attempted actions beyond explicit instructions, while DXT may proceed without consulting the user.
Anthropic’s public guidance frames the MCP integration as a local development tool that requires users to install MCP servers and explicitly grant permissions to run them, with resource access determined by the user’s system permissions and configuration.
The report includes industry commentary that frames the issue as an architectural design choice that increases attack surface. Mitigations discussed include stronger permission boundaries, enterprise deployment controls, sandboxing, and in some cases a redesign of the extension architecture.
WHY IT MATTERS
The vulnerability lets benign data sources cause full system compromise when agentic desktop extensions have direct file system access and execution privileges, a configuration that could expose enterprise desktops to broad risk unless deployment controls and permissions are tightened.