Anthropic's Claude Desktop App Installs Undisclosed Native Messaging Bridge

Anthropic's Claude Desktop app (the chat interface for Claude AI) has been discovered to install a browser extension without explicit user disclosure, enabling a native messaging bridge between the desktop app and the browser. The extension is preauthorized and allows the desktop app to communicate with web pages, potentially reading or injecting content.
Key details from the source (HN discussion, 74 points, 15 comments):
- The extension is installed automatically when Claude Desktop is installed or updated, without any prompt or explanation in the UI.
- It uses Chrome's native messaging API, which gives it elevated privileges compared to a regular extension.
- Users on HN noted that the extension's manifest declares permissions for
nativeMessagingand access to*://*/*, meaning it can interact with all websites. - There is no obvious mechanism to disable or remove the extension within Claude Desktop — users must manually remove it from Chrome's extension management page (
chrome://extensions/).
This behavior is similar to how some other desktop apps (e.g., Grammarly, LastPass) install companion extensions, but the lack of disclosure and the preauthorized nature of the installation has drawn criticism. The HN thread surfaces concerns about trust and transparency, especially given Claude Desktop's ability to browse the web on behalf of users.
For developers using Claude Desktop, it's worth checking your browser's extension list and reviewing the permissions granted to any Claude-related extensions. If you prefer to keep your browsing isolated, you can manually uninstall the extension — though it may reappear on app updates.
📖 Read the full source: HN AI Agents
👀 See Also

Anthropic reports industrial-scale distillation attacks by Chinese AI labs on Claude
Anthropic detected three Chinese AI companies—DeepSeek, Moonshot, and MiniMax—creating over 24,000 fraudulent accounts to generate 16+ million exchanges with Claude, extracting its reasoning capabilities through systematic distillation attacks.

Privacy Concerns in OpenClaw: Skills, SOUL MD, and Agent Communication
A developer raises privacy concerns about OpenClaw's architecture, specifically around skills having unrestricted access to sensitive data, SOUL MD being writable, and agents sharing information without filters.

Open-Source Attack Surface Management Cheat Sheet Released
A developer has open-sourced an Attack Surface Management cheat sheet that covers practical workflows, tools, and references. The project includes sections on asset discovery, infrastructure tracking, reconnaissance tooling, automation workflows, and learning resources.

Architectural fix for AI agent over-centralization: separating memory, execution, and outbound actions
A developer realized their AI assistant was becoming an 'internal autocrat' by handling long-term memory, tool access, and autonomous decisions in one component. The solution involved separating the system into three roles: private controller, scoped workers, and outbound gate.