Anthropic's Claude Desktop App Installs Undisclosed Native Messaging Bridge

Anthropic's Claude Desktop app (the chat interface for Claude AI) has been discovered to install a browser extension without explicit user disclosure, enabling a native messaging bridge between the desktop app and the browser. The extension is preauthorized and allows the desktop app to communicate with web pages, potentially reading or injecting content.

Key details from the source (HN discussion, 74 points, 15 comments):

• The extension is installed automatically when Claude Desktop is installed or updated, without any prompt or explanation in the UI.
• It uses Chrome's native messaging API, which gives it elevated privileges compared to a regular extension.
• Users on HN noted that the extension's manifest declares permissions for nativeMessaging and access to *://*/*, meaning it can interact with all websites.
• There is no obvious mechanism to disable or remove the extension within Claude Desktop — users must manually remove it from Chrome's extension management page (chrome://extensions/).

This behavior is similar to how some other desktop apps (e.g., Grammarly, LastPass) install companion extensions, but the lack of disclosure and the preauthorized nature of the installation has drawn criticism. The HN thread surfaces concerns about trust and transparency, especially given Claude Desktop's ability to browse the web on behalf of users.

For developers using Claude Desktop, it's worth checking your browser's extension list and reviewing the permissions granted to any Claude-related extensions. If you prefer to keep your browsing isolated, you can manually uninstall the extension — though it may reappear on app updates.