A security researcher has found a practical shortcut that could let a malicious Chrome extension make Anthropic's Claude browser extension perform predefined AI actions on connected services simply by simulating a click. The finding, published by Manifold Security and credited to Ax Sharma, describes how Claude's extension accepts JavaScript-generated click events and uses them to launch built-in workflows for Gmail, Google Docs, Google Calendar, and Salesforce.
How Claude's extension listens for clicks and why that matters
Manifold's report says the Claude for Chrome extension listens for click events on a specific page element that launches one of its built-in AI workflows. Chrome extensions that are permitted to run on a page can inject JavaScript into that page — they can change elements, read displayed information, and generate click or keyboard events programmatically. Browsers mark real user actions by setting Event.isTrusted to true; synthetic events created by JavaScript are automatically marked isTrusted = false. According to the researchers, the Claude extension did not verify Event.isTrusted before executing a workflow, and treated an untrusted, script-generated click as if it came from a real user.
The supported workflows a malicious extension can trigger
- usecase-gmail: read recent Gmail, identify promotional emails, and click unsubscribe
- usecase-gdocs: open the user's latest Google Doc, read all comments and feedback
- usecase-calendar: read Google Calendar, find free slots, create meetings
- usecase-salesforce: modify Salesforce leads, convert them to opportunities
Manifold notes the attack surface is confined to these nine predefined task identifiers supported by the extension; it does not permit arbitrary prompt injection into Claude's model.
Attack prerequisites and practical limits
The vulnerability is not a simple webpage trick. Manifold explains a website alone cannot directly exploit the Claude extension — an attacker must first convince a user to install a malicious browser extension that has permission to run on the claude.ai domain. That malicious extension could then inject a page element containing one of the task identifiers and generate a synthetic click event that the Claude extension will execute. While a malicious extension typically already has broad access to pages it can run on, the researchers emphasize this flaw specifically allows such an extension to abuse Claude's authenticated access to connected services.
The second finding: skipPermissions=true and its classification
Manifold reported a second observation: an internal skipPermissions=true parameter that bypassed certain permission checks when launching the extension. The researchers acknowledge that parameter on its own was not directly exploitable; it would require chaining with another vulnerability to produce a specially crafted URL and trigger a real exploit. When Manifold disclosed both findings through Anthropic's bug bounty program, Anthropic acknowledged the reports. Anthropic closed the synthetic-click report, saying it was being tracked as part of a broader issue, and classified the skipPermissions=true finding as informational.
What this means for users, security teams, and adversaries
- End users and enterprise employees: The practical risk hinges on two configuration choices that the report highlights — whether users approve sensitive actions when prompted and whether the extension's optional "Act without asking" setting is enabled. If automatic action is allowed, a simulated click could complete tasks without an additional user confirmation.
- Security teams and technologists: Manifold's write-up underscores that a malicious extension with page permissions can amplify its reach by leveraging other trusted integrations. The report also documents that both findings remained reproducible in version 1.0.80 of the Claude extension, released July 7, with byte-identical content scripts and side-panel handlers to an earlier version cited by researchers.
- Adversaries and threat actors: The chain described requires social engineering to get a user to install a hostile extension and that extension must be granted the ability to run on claude.ai. The flaw does not broaden the set of actions beyond Claude's nine built-in workflows, but it does let a hostile extension trigger those authenticated actions programmatically.
Anthropic has been notified through its bug bounty program and acknowledged the reports; Manifold's verification on July 7 found the behavior reproducible in the current extension release at that time. The researchers emphasize the constraint that the vulnerability is limited to predefined tasks and requires a malicious extension already able to execute on claude.ai. Still, the combination — an extension with page access plus Claude's authenticated reach into Gmail, Docs, Calendar, and Salesforce — is the precise vector the report documents.
The finding is a reminder that even small implementation details — here, a missing isTrusted check — can change how authenticated integrations behave when an attacker controls the page environment. Manifold has put the technical record forward; Anthropic has acknowledged it and classified the second issue as informational. Whether and when a targeted code-level change will be released to close the synthetic-click pathway remains the concrete next step left on the record.




