Privacy researcher Alexander Hanff, an occasional contributor to The Register, was reviewing Brave’s configuration settings on his MacBook when he spotted a file he’d never created. It came from Anthropic.

The file is called com.anthropic.claude_browser_extension.json, a Native Messaging manifest that Chromium-based browsers consult when an extension needs to invoke a system executable. According to Hanff, Claude Desktop wrote it into Brave’s directory without notification, without asking for permission, and despite him never installing any Claude extension.

What the file does, and why it matters

Hanff’s analysis shows the manifest pre-authorizes three Claude extension identifiers to invoke an executable bundled with Claude Desktop, chrome-native-host, which runs outside the browser sandbox with user privileges. He then verified the same behavior on a second machine and found the manifest written across seven Chromium-based browser directories, including Chrome, Brave, Edge, Vivaldi, Arc, and Opera. Four of these browsers weren’t even installed on that system. Claude Desktop created the corresponding directories on first launch.

The application’s internal logs, per Hanff’s report, explicitly record the operation under the system name Chrome Extension MCP and show over thirty installation events in current and archived log files. Modification timestamps indicate the file gets rewritten every time the app starts. Manually deleting it doesn’t help; it reappears on the next launch.

According to Hanff, Anthropic’s documented capabilities for Chrome integration include access to authenticated user sessions, reading page content, filling forms, and logging interactions. With the bridge already installed, a successful prompt injection attack against the Claude extension would, in Hanff’s assessment, have a direct path to the sandboxless executable. Anthropic itself, in its launch documentation for Claude for Chrome, lists an 11% success rate for prompt injection attacks even with active mitigations in place.

Hanff believes the behavior violates Article 5(3) of the EU ePrivacy Directive, which requires explicit consent for writing data to user devices except in cases of strict technical necessity.

A second expert weighs in

Noah Kenney, a consultant at Digital 520, confirmed to The Register that Hanff’s technical claims are verifiable and reproducible by independent reviewers. On regulatory grounds, Kenney says the manifest write falls within Article 5(3)’s scope, and the “strict necessity” argument doesn’t hold much weight in Europe, where regulators tend to read that term narrowly. Kenney distanced himself from Hanff’s “spyware” label, clarifying that this is pre-positioned, dormant integration rather than active data exfiltration, though the attack surface risk remains real.

Anthropic hasn’t responded to The Register’s request for comment or to Hanff’s public post. Hanff said he hasn’t filed a formal complaint yet but intends to do so if the company doesn’t address the installation mechanism.