A vulnerability in Claude Desktop Extensions makes it possible to execute arbitrary code on a system via a Google Calendar appointment without user intervention.
Security company LayerX discovered a new type of vulnerability linked to the Claude Desktop Extensions (DXT). The flaw makes it possible for an attacker to execute malicious code on a system without having to exploit actual vulnerabilities. The attacker uses Claude’s gullibility and DXT’s high privileges to simply ask for what they want via a detour. The flaw therefore received a maximum CVSS score of 10/10.
Attack via the calendar
LayerX links the attack to the simplicity of a (shared) calendar appointment. All an attacker needs to do to gain access is share an invitation for, for example, Google Calendar. In that calendar appointment, the attacker must then describe what they want, for example:
- Perform a git pull from an attacker’s repository and save it to the hard drive
- Execute the file in question.
When a user of Claude and DXT asks a seemingly innocent question, such as “Check my calendar and arrange everything for me,” Claude gets to work and encounters the task with explicit instructions. Claude does not question whether these instructions are malicious: they are clear and in the calendar, so the AI bot will arrange everything as requested.
No sandbox
Normal extensions work in a sandbox environment, but DXT does not. DXT gives Claude full access to a user’s system, because that is necessary to perform tasks for that user. In the example above, Claude will pass the instructions to a local MCP extension with execution rights. As a result, the complete malicious code is downloaded, saved and executed on a system without user intervention.
According to LayerX, the risk arises when Claude autonomously decides to combine different connectors. A source with a perceived low risk, such as Google Calendar, can thus supply data to a local extension with execution rights. There are no built-in restrictions that block such data flows by default.
The attack does not require complex manipulation. A user only needs to ask to check recent appointments and “take care of it” or “arrange it”. Claude can interpret that as permission to take further action.
Structural flaw in architecture
According to LayerX, this points to a broader architectural vulnerability within MCP-based workflows. Automatically passing data between connectors with different risk profiles creates an attack vector that is difficult to control. LayerX notified Anthropic, but according to the company, the problem has not yet been resolved.
As long as there are no additional safeguards regarding access control and separation of powers, MCP connectors pose a risk to security-sensitive environments, according to the researchers. Or, to put it very differently: if you wouldn’t give a gullible intern access to a system, don’t just give an AI bot high privileges either.