Claude Cowork Audits Chrome Extensions

🔑 Enhanced Key Takeaways

• •Claude Cowork lacks audit logging and compliance API integration, making it unsuitable for regulated workloads and creating accountability gaps for enterprise security teams[3].
• •Prompt injection attacks represent the primary attack vector for Claude in Chrome, with adversaries embedding hidden instructions in web content, emails, and documents that can override user commands and trigger unintended actions[2][4].
• •Claude Desktop Extensions run unsandboxed with full system privileges, enabling zero-click remote code execution attacks—rated CVSS 10/10—through chained connectors like Google Calendar, a vulnerability Anthropic has declined to fix[2][5].

🛠️ Technical Deep Dive

• •Claude's content scanning uses classifiers to detect adversarial commands embedded in hidden text, manipulated images, and deceptive UI elements within untrusted content[4].
• •The Claude in Chrome extension maintains persistent login credentials and can execute JavaScript on any visited page, creating an always-on attack surface that never shrinks[2].
• •Cowork activity is excluded from audit logs, Compliance API, and data exports, preventing forensic analysis and compliance monitoring[3].
• •Claude Cowork inherits access to the entire browser session, including all logged-in accounts, personal email, AWS credentials, and internal tools visible in the active tab[6].
• •Anthropic's Opus 4.5 model achieves a 1% attack success rate against prompt injection attempts, though security researchers question the acceptability of this failure rate for critical tasks[2].

🔮 Future ImplicationsAI analysis grounded in cited sources

⏳ Timeline