Claude Desktop Modifies Browser Permissions Silently

Anthropic's Claude Desktop macOS client silently installs a Native Messaging manifest, com.anthropic.claude_browser_extension.json, which pre-authorizes browser extension identifiers for multiple Chromium-based browsers. The manifest registers a local executable so approved extensions can invoke it. The file is installed even when the corresponding browsers or extensions are not present, effectively pre-granting future access without an explicit, contextual consent flow.

The client is built on Electron, which bundles a version of Chromium. During installation Claude Desktop writes a Native Messaging manifest that lists approved extension IDs and points to a local binary. That pattern lets browser extensions call local code directly once the extension is installed or activated. Observed behaviors and relevant technical notes:

• •The manifest pre-authorizes three extension identifiers, enabling automatic handoffs between browser extensions and the local Claude binary.
• •The manifest is written system-wide and targets multiple Chromium forks, including browsers the user had not installed at the time of observation.
• •Electron-based apps can legitimately use native messaging to interface with browsers, but best practice is to request explicit, per-action consent and present clear disclosure at install time.

This is not a minor UX bug. Agentic features such as Claude Code and the broader "use my computer" capability are designed to let the model open files, drive the browser, and automate workflows. That value proposition creates a tension between automation and the security model of local applications. Silent pre-authorization undermines browser sandbox expectations and extension security models, which assume the user decides which extensions gain the right to invoke local binaries. Privacy consultant Alexander Hanff has characterized the behavior as a dark pattern and argues it may violate Article 5(3) of the ePrivacy Directive, which requires clear details and consent for data access that is not strictly necessary to provide the service. From a risk perspective, unauthorized pre-granting of native messaging access enlarges the attack surface for prompt injection, extension compromise, and local privilege misuse.

If you deploy agent-enabled desktop apps or integrate Electron clients into workflows, the incident highlights three operational risks: accidental escalation of local privileges via browser bridges, regulatory exposure under EU privacy law when consent flows are insufficient, and erosion of user trust when clients modify other vendors' application settings. Security teams must treat native messaging manifests as sensitive configuration artifacts and instrument installation processes with transparent consent, logging, and least-privilege defaults.

Anthropic's response is the immediate next data point. Look for a patch that removes pre-authorization, a clearer consent and disclosure flow, or a public legal/regulatory inquiry. Beyond Anthropic, vendors shipping agentic features will face increased scrutiny from browsers, privacy regulators, and enterprise security teams; expect new guidance and possibly browser-side hardening of Native Messaging approvals.

The functionality that lets Claude automate user machines embodies useful capabilities but the current installation behavior crosses established security and consent boundaries. Practitioners should treat agentic desktop clients as a new class of attack surface and demand explicit, auditable consent and minimal default permissions.