Claude Chrome security flaw could allow a malicious browser extension to trigger predefined AI workflows through simulated user clicks. The flaw could in turn be abused Claude's access to services like Gmail, Google Docs, Google Calendar, and Salesforce, depending on how the extension is configured and what permissions the user has given it.
The vulnerability was discovered by the security researcher Axe Sharma at Manifold Security. According to the researcher, the problem lies in how Anthropic's Chrome extension Claude determines whether a user has actually initiated one of its built-in AI workflows.
How the Claude Chrome vulnerability works
Chrome extensions that have permission to run on a website can inject JavaScript into the page's content. This means they can read and modify information, manipulate page elements, and generate click and keyboard events programmatically.
According to Manifold Security The Claude extension listens for clicks on specific page elements that are used to launch predefined AI workflows. These workflows enable Claude to perform tasks in connected services, including:
- Gmail: read the latest emails, identify promotional emails and unsubscribe.
- Google Docs: open the user's latest document and read comments and feedback.
- Google Calendar: analyze the calendar, find available times and create meetings.
- Salesforce: update leads and convert them into business opportunities.
Didn't check if the click came from a real user
The researchers discovered that The Claude addition accepted JavaScript-generated clicks without checking whether they came from a real user.
Web browsers use the property Event.isTrusted to distinguish between events created by a user and those generated programmatically via JavaScript. For example, when a user clicks the mouse, Event.isTrusted to true, while synthetic events are automatically marked as false.
According to Manifold Security, the Claude extension did not check this property before starting an AI workflow.
This meant that a malicious Chrome extension with permission to run on the domain claude.ai could create a special page element, specify one of the supported task identifiers, and then generate a synthetic click. Although the browser correctly marked the event as untrusted, the Claude extension treated it as a legitimate user click and performed the requested AI action.
The attack is limited but could have significant consequences
The researchers emphasize that the vulnerability does not allow arbitrary prompt injection or allow attackers to run arbitrary commands through Claude. Instead, the attack is limited to the nine predefined AI workflows built into the extension.
An attacker also cannot compromise Claude directly through a website. For the attack to succeed, the user must first be tricked into installing a malicious Chrome extension that has permission to execute code on it. claude.ai.
Once such an extension is installed, it can manipulate the web page and trigger the Claude extension's built-in workflows without the user intentionally initiating them.
Can abuse Claude's access to external services
Although a malicious browser extension already has extensive access to the websites it runs on, researchers believe this vulnerability poses an additional risk because it could exploit Claude's authenticated access to connected services.
How big the impact will be depends, among other things, on how The Claude addition is configured and if the user has enabled the feature “Act without asking”, which allows certain predefined workflows to run automatically without further approval.
In environments where Claude has access to sensitive information or business systems, the consequences may therefore be greater than with a typical malicious browser extension.
Further discovery around authorization checks
The researchers also identified an internal parameter, skipPermissions=true, which could bypass certain authorization checks when the extension was launched.
However, they noted that this mechanism could not be exploited directly on its own. To create a working attack, an additional vulnerability would be required to construct a specially crafted URL.
Anthropic was informed via the bug bounty program
Both findings were reported to Anthropic through the company's bug bounty program.
Anthropic confirmed the reports and stated that the synthetic click problem had already been recorded as part of a larger security effort. The second discovery, which concerned the parameter skipPermissions=true, was classified as informative.
According to Manifold Security, both flaws are still reproducible in version 1.0.80 by Claude Chrome extension, which was published on July 7.
In their report, the researchers write:
“Manifold verified on July 7 that both results are still reproducible in version 1.0.80. The content script and sidebar handlers that we analyzed are byte-identical to the source code in version 1.0.72.”
It is currently unclear when Anthropic will fix the main vulnerability. Until then, users are advised to only install Chrome extensions from trusted developers, regularly review the permissions of installed extensions, and avoid granting unnecessary permissions to extensions that have access to claude.ai, Google Workspace or other business-critical services.








