There is a particular flavor of irony that only the technology industry can produce, and it tastes like Anthropic — the company that has built its entire brand on the premise that AI should be safe, aligned, and trustworthy — shipping a browser extension with two unpatched vulnerabilities that let any malicious Chrome extension read your Gmail, rifle through your Google Docs, rearrange your Calendar, and modify your Salesforce leads. All without asking.
The company was told about both flaws in May. It is now mid-July. Eight extension releases have come and gone. The vulnerabilities remain, sitting comfortably in version 1.0.80 like a tenant who knows you won’t call the landlord.
🤚 The Open-Palm Disclosure
Security researcher Ax Sharma of Manifold Security discovered that the Claude for Chrome extension does not verify the Event.isTrusted property before executing its built-in workflows. For the non-technical: browsers have a simple mechanism to distinguish between clicks made by an actual human finger and clicks fabricated by JavaScript. Real clicks are marked true. Fake clicks are marked false. Claude’s extension treats both identically, which is the digital equivalent of a bouncer who accepts both government-issued IDs and crayon drawings.
This means a malicious browser extension — one that has permission to modify content on claude.ai — can inject page elements and trigger synthetic clicks that activate Claude’s predefined workflows:
- usecase-gmail: Read recent emails, identify promotional content, click unsubscribe
- usecase-gdocs: Access your latest Google Doc, read all comments and feedback
- usecase-calendar: Read your calendar, identify free slots, create meetings
- usecase-salesforce: Modify Salesforce leads, convert them to opportunities
If the user has enabled “Act without asking” mode — a feature whose name now reads less like a convenience toggle and more like a warning label — Claude will execute these actions silently. No confirmation dialog. No notification. Just your AI assistant cheerfully handing your inbox to a stranger because a synthetic click told it to.
👐 The Two-Handed Irony Sandwich
Manifold reported both findings to Anthropic’s bug bounty program on May 21, 2026, against extension version 1.0.72. Anthropic acknowledged the reports the next day. Then it closed one, folding it into an existing tracking report on “the broader trust-boundary issue.” The other was classified as “informational only.”
That second finding? Researchers discovered an internal skipPermissions=true parameter that bypasses certain permission checks. Anthropic called it informational. Security researchers call it concerning. The rest of us call it a parameter named skipPermissions that skips permissions.
On July 7, Manifold verified that both findings remain fully reproducible in version 1.0.80. The source code handling the vulnerable click logic is, in their words, “byte-identical” to the version they originally reported against. Eight releases. Zero changes. The vulnerability has survived more update cycles than most startups survive funding rounds.
To be fair, the attack does require a user to install a malicious extension first, and the exploit is limited to Claude’s nine predefined tasks rather than arbitrary prompt injection. This is roughly analogous to saying your house only has nine unlocked doors and the burglar does need to walk to your street first.
🌿 The Gentle Awakening
There is something philosophically magnificent about a company that publishes 100-page safety reports on the existential risk of artificial intelligence while shipping a browser extension that cannot distinguish between a human click and a JavaScript event. Anthropic has spent years — and billions of dollars — ensuring that Claude will politely decline to help you build a bioweapon, but apparently the engineering budget did not extend to a single if (event.isTrusted) check.
The broader issue here is not merely technical. It is theological. The AI safety movement has spent a decade warning us about the dangers of autonomous AI agents that act without human oversight. Anthropic then built a browser extension with a mode called “Act without asking” and did not verify that the asking was being skipped by a human. The leopard did not eat anyone’s face. The leopard automated the face-eating and removed the confirmation dialog.
👑 The Gold-Leaf Trust Exercise
The real lesson is not about Anthropic specifically — it is about the entire agentic AI ecosystem that is currently being bolted onto every browser, email client, and enterprise tool with the structural integrity of a garden shed in a hurricane. We are connecting AI agents to our most sensitive data — email, documents, calendars, CRM systems — and the security model for these integrations is approximately “trust the click.”
Manifold’s recommendations are straightforward: validate genuine user interactions before executing privileged actions, avoid URL-driven privilege transitions, and strengthen authentication of internal extension workflows. These are not novel security concepts. They are the kind of advice you would find in a 2014 Chrome extension security guide. The fact that they need to be stated in 2026 to the company positioning itself as the responsible steward of artificial intelligence is a punchline that writes itself.
Anthropic will almost certainly patch this. The question is whether it will happen before or after someone demonstrates the exploit in a way that involves an actual victim rather than a research paper. Given the current timeline — 57 days and counting — the smart money is on “after.”
“The extension’s click handler does not verify whether the click originated from a real user, which is also our company’s approach to handling vulnerability reports.” — The Slap of Wisdom Browser Security Desk, verifying that this article was written by a human by checking absolutely nothing