Technical Advisory: Claude Desktop Extensions Tool Chaining Vulnerability

Disclosed: February 9, 2026

‍Severity: Medium (Geordie Assessment)

‍Package/Component: Claude Desktop Extensions (DXT)

Advisories: Disclosure

Executive Summary

What Happened: Security researchers disclosed a vulnerability in Claude Desktop Extensions (DXT) where external content (such as calendar events) can trigger code execution through autonomous tool chaining. The researchers rated this as CVSS 10/10.

Why It Matters:

• AI Tooling Governance: Organizations adopting AI coding assistants need visibility into the security implications of extension ecosystems
• Developer Productivity vs Security: DXT's ease-of-use creates potential for ungoverned capability accumulation
• Existing Risk Class: This vulnerability represents a known pattern in agentic AI systems – not a novel attack class
• Vulnerable Defaults: Users of Claude Desktop do not necessarily need to install third-party extensions to be vulnerable – built-in connectors, if enabled, can likewise be leveraged for this issue.

High-Level Risks:

• Code execution through chained tool invocations
• Data exfiltration via privileged extensions
• System compromise through unsandboxed execution
• Shadow IT proliferation in development environments

Immediate Actions:

1. Audit installed DXT extensions and remove unnecessary ones
2. Avoid combining external data sources with code execution extensions
3. Consider manual MCP configuration for sensitive environments
4. Monitor Anthropic security channels for updates

Overview

Security researchers demonstrated that Claude Desktop, when configured with both a data ingestion extension (Google Calendar) and a code execution extension (Desktop Commander), can be manipulated into executing arbitrary commands through content embedded in external data sources.

The attack requires no user interaction beyond a generic prompt like "check my calendar and take care of it" – Claude autonomously chains the calendar read operation with code execution based on instructions embedded in event content.

Risk Analysis

Our Assessment: Medium Severity

CVSS 4.0 Base Score: 7.7 High
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:PAIVSS: (CVSS:7.7/AARS:4.0) Medium

While the disclosure rates this vulnerability as CVSS 10/10, we assess this as a Medium severity risk for the following reasons:

1. Not a Novel Attack Class: This is a demonstration of the well-documented tool chaining risk inherent to agentic AI systems. The same vulnerability pattern exists in any MCP configuration that combines external data ingestion with privileged execution – DXT simply makes it easier to inadvertently create this combination.
2. Preconditions Required: Exploitation requires:
   • Multiple specific extensions installed (data source + executor)
   • Attacker ability to inject content into the data source
   • User prompt that triggers the chaining behavior
3. Equivalent Risk in Manual MCP: Organizations using manually configured MCP servers with similar tool combinations face identical exposure. DXT lowers the barrier to creating dangerous combinations but doesn't introduce a fundamentally new vulnerability.

What DXT Does Change:

• Reduced Friction: One-click installation makes it easy to accumulate extensions without security review
• Implicit Trust: Marketplace distribution may create false assumptions about vetting
• Visibility Gap: Extensions may be installed without organizational awareness

Technical Details

1. Tool Chaining Mechanism:
   • Claude autonomously determines which tools to invoke based on user prompts
   • No hardcoded safeguards prevent chaining low-risk connectors to high-risk executors
   • The agent interprets content from external sources as potential instructions
2. DXT Architecture:
   • Extensions run unsandboxed with full system privileges
   • Extensions are MCP servers packaged for easy distribution
   • Unlike browser extensions, no isolation boundary exists between extensions and the host system

Impact

Systems with vulnerable extension combinations may experience:

• Arbitrary code execution triggered by external content
• Data access and exfiltration through chained operations
• Credential exposure if extensions have access to sensitive files
• Persistent compromise if extensions have write access

Affected Configurations

This vulnerability affects Claude Desktop installations where:

• Two or more DXT extensions are installed
• At least one extension ingests external/untrusted data (calendars, email, web, documents)
• At least one extension can execute code or modify system state

Note: The same risk exists in manual MCP configurations with equivalent tool combinations.

Immediate Mitigation Steps

1. Audit Extensions:
   • Review all installed DXT extensions
   • Document the capabilities each extension provides
   • Remove extensions that are not actively required
2. Avoid Dangerous Combinations:
   • Do not install data ingestion extensions alongside code execution extensions
   • If both are required, implement additional controls (see below)
3. Consider Alternatives:
   • Manual MCP configuration provides equivalent functionality with greater visibility
   • Increased setup complexity is offset by explicit capability awareness

Long-term Recommendations

1. Organizational Governance:
   • Establish DXT extension policies similar to browser extension policies
   • Require security review before extension installation
   • Maintain an approved extensions list for development environments
2. Technical Controls:
   • Implement endpoint monitoring for DXT activity
   • Consider network segmentation for systems running DXT
   • Restrict DXT usage to non-sensitive systems until architectural improvements are available
3. Vendor Engagement:
   • Monitor Anthropic security advisories for platform updates
   • Advocate for sandboxing and permission controls in future DXT versions
   • Consider enterprise agreements that include security commitments

Framework Context

This vulnerability aligns with multiple security frameworks:

• OWASP ASI04:2026 Agentic Supply Chain Vulnerabilities: DXT marketplace as a distribution vector for capabilities that combine into dangerous configurations
• OWASP ASI02:2026 Tool Misuse and Exploitation: Autonomous tool chaining enabling unintended capability combinations
• OWASP LLM01:2025 Prompt Injection: External content interpreted as instructions by the agent

Conclusion

The disclosure highlights a real risk in Claude Desktop Extensions, but it's important to understand this in context. The underlying vulnerability – autonomous tool chaining between data sources and executors – is a known risk class in agentic AI systems that exists regardless of whether tools are installed via DXT or manual MCP configuration.

DXT's contribution to the risk is primarily one of friction reduction: it makes it easier for users to inadvertently create dangerous tool combinations without explicit awareness of the implications. Organizations should treat this as an opportunity to establish governance around AI tooling extensions, rather than a reason to avoid Claude Desktop entirely.

The recommended approach is to audit extension usage, avoid dangerous combinations, and apply the same security rigor to AI tool extensions that organizations apply to browser extensions and other developer tooling.

Updates

We will update this analysis as Anthropic responds to the disclosure or releases architectural improvements to the DXT platform.

‍