Claude Desktop for macOS silently installs a Native Messaging manifest pre-authorizing three Chromium extension IDs, granting local binary access even before any Chromium browser is installed.
Key Takeaways
The manifest com.anthropic.claude_browser_extension.json is written to disk for Chromium-based browsers regardless of whether they are installed; any future Chromium install inherits the preauthorization without a new consent prompt.
The authorized local binary runs at user OS privilege outside the browser sandbox, enabling extensions to read page contents, autofill forms, capture screens, and tap authenticated sessions.
Anthropic’s own prompt-injection metrics show 23.6% vulnerability without mitigations and 11.2% with; a successful injection could pivot through the extension into the local bridge.
Researcher Alexander Hanff flagged potential ePrivacy Directive Article 5(3) noncompliance; independent reviewer Noah Kenney noted the manifest is persistent and difficult for users to locate or remove.
Practitioners should audit ~/Library for unexpected Native Messaging manifests, block unrecognized extension IDs, and apply OS-level least-privilege controls to any local message-accepting binary.
Hacker News Comment Review
The sharpest technical counterpoint: the manifest alone is inert – the user must still manually install the extension in Chrome and accept a permissions dialog before the bridge activates.
A builder working on a browser-to-local-Claude tool independently chose Native Messaging over a plain localhost proxy, framing it as the only architecture that can pass a security review – lending legitimacy to Anthropic’s design choice while leaving the undisclosed pre-installation unaddressed.
Broader distrust of Anthropic’s “safety-first” positioning surfaced without rebuttal, suggesting the disclosure gap matters more to the thread than the technical mechanism itself.
Notable Comments
@horsawlarway: Chrome’s own permissions popup explicitly reads “Communicate with cooperating native applications” before any bridge activates, making the manifest a necessary but not sufficient precondition.
@jmathai: arrived at Native Messaging independently after rejecting a localhost proxy as insecurity-review-proof, noting MCP and network-access use cases as the real driver.