Security firm LayerX has disclosed a serious weakness in Claude Desktop Extensions that allows remote code execution with no clicks from the user. Anthropic has acknowledged the issue but, according to multiple reports, has chosen not to ship a code fix, instead telling customers to manage the risk through configuration and deployment controls.
The dispute exposes a growing fault line in AI tooling, where powerful assistants are wired into calendars, terminals, and corporate systems yet do not always follow the hardened patterns used for browsers and mobile apps. This case is emerging as a test of how much danger users are expected to accept when they let an LLM act on their behalf.
How a calendar invite turns into code execution
LayerX researchers say a single malicious Google Calendar event can silently compromise a machine that runs Claude Desktop Extensions and has access to a local terminal. In their scenario, an attacker sends an invite that looks routine, but the event description hides instructions that Claude interprets as a task, which then leads to code execution on the endpoint when the assistant is asked to process it. That chain, from calendar text to system commands, is described as a zero click path to remote control of the host through Claude Desktop Extensions.
The key weakness sits at the junction between external data and local tools. Rather than treating calendar content as untrusted, the model is allowed to act on it with the same power a logged in user would have, including running scripts and installing software. One analysis notes that the flaw “creates system wide trust boundary violations in LLM driven workflows, resulting in a broad, unresolved attack surface,” a description tied directly to how the assistant bridges Google Calendar and the host system through Anthropic Claude extensions.
LayerX’s findings and the “zero click” label
According to summaries of the research, LayerX classifies the issue as a zero click remote code execution bug because the victim only needs to let Claude handle the event, with no further confirmation prompt. In one write up, the firm explains that all that would be required to trigger the vulnerability would be to ask Claude to handle the event and for Claude to have terminal access, a flow that turns a simple scheduling request into a full compromise path for Claude.
A separate report on the same work describes how a single Google Calendar event can silently compromise a system running Claude Desktop Extensions, reinforcing LayerX’s claim that the attack surface is not theoretical. The researchers argue that because the exploit rides on normal assistant behavior, traditional user training will not stop it, which is why they frame it as a bombshell finding for people who rely on Claude Desktop Extensions in day to day workflows.
Why Claude DXT’s container falls short
LayerX’s critique goes beyond one exploit and into the design of Claude DXT’s environment. In a detailed assessment, the firm says “Claude DXT’s container falls noticeably short of what is expected from a sandbox,” arguing that the extension stack behaves more like a local app with broad privileges than a tightly confined plugin. That concern is linked to the way Claude DXT is packaged and is highlighted in coverage that quotes the phrase “Claude DXT’s container falls noticeably short” when describing the security posture of Claude DXT.
Security specialists also point to the fact that, unlike traditional browser extensions, Claude Desktop Extensions run unsandboxed with full system privileges. One analysis warns that this design means Claude can operate more like privileged enterprise software than a constrained helper, which magnifies the blast radius of any prompt injection or data poisoning attack that reaches the assistant, especially when Unlike Claude Desktop are wired into terminals, file systems, and production services.
Anthropic’s response and refusal to patch
Reporting on the disclosure says Anthropic has acknowledged the security issue but declined to fix it in code, telling customers that they must exercise caution when granting permissions and manage the risk through proper deployment controls. One detailed account notes that Anthropic acknowledged the issue but declined to fix it, stating users must exercise caution when granting permissions, a stance that has drawn criticism from security engineers who expected a more direct response from Anthropic.
Another summary, citing LayerX’s work, explains that the vendor was informed of the zero click remote code execution vulnerability within Claude Desktop Extensions and chose not to address it, even though the attack can lead to execution without any user interaction. That account stresses that The Register reports that LayerX identified a zero click remote code execution vulnerability within Claude Desktop Extensions, and that Anthropic opted not to address it, a choice that now shapes how enterprises view the risk of Claude in sensitive environments.
Real world impact: 10,000 Users and counting
The potential impact is not small. One community write up warns of a “Critical Vulnerability in Claude Desktop Extensions Exposes Over 10,000 Users to Remote Attacks,” framing the issue as a live risk rather than a lab curiosity. That same discussion stresses that the weakness affects Claude Desktop Extensions Exposes Over 10,000 Users to Remote Attacks by abusing how LLM tools are linked to untrusted data sources, a concern that has spread quickly among Users who rely on AI agents to triage their inboxes and calendars.
LayerX’s own example shows how low the bar is for exploitation. In their scenario, the simple but ambiguous prompt, “Please check my latest events in Google Calendar and then take care of it from there,” is enough to kick off the chain of actions that leads to compromise. Analysts explain that a single Google Calendar event can silently compromise a system running Claude Desktop Extensions, and that this kind of request, beginning with “Please” and involving Google Calendar and follow up actions, is exactly the type of natural language instruction that busy staff give to assistants every day, which is why they argue that LayerX’s example should worry security teams.
