"Claude Desktop Extensions, recently renamed MCP Bundles, are packaged applications that extend the capabilities of Claude Desktop using the Model Context Protocol, a standard way to give generative AI models access to other software and data. Stored as .dxt files (with Anthropic transitioning the format to .mcpb), they are ZIP archives that package a local MCP server alongside a manifest.json file describing the extension's capabilities."
"By design, you cannot sandbox something if it is expected to have full system access. Perhaps they containerize it but that's not the same thing. Relative to Windows Sandbox, Sandboxie or VMware, Claude DXT's container falls noticeably short of what is expected from a sandbox. From an attacker's point of view it is the equivalent of setting your building code to 1234 and then leaving it unlocked because locking it would prevent delivery people from coming in and out."
LayerX identified a zero-click remote code execution vulnerability in Claude Desktop Extensions triggered by processing a Google Calendar entry. Anthropic has not patched the issue despite LayerX assigning it a CVSS score of 10/10. Claude Desktop Extensions (MCP Bundles) are .dxt/.mcpb ZIP archives packaging a local MCP server and manifest.json to provide Model Context Protocol access. The extensions are marketed as sandboxed with permission controls, Group Policy support, and blocklisting. LayerX and principal security researcher Roy Paz state that extensions execute without effective sandboxing and run with full host privileges, and that Claude processes public connectors like Google Calendar and autonomously selects installed MCP connectors, creating an exploitable attack vector.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]