Building off the insights from some posts I recently made, I’ve decided to pivot more intentionally into Cyber Security research. My first target for investigation; the Claude Desktop App.
On April 18, 2026, Alexander Hanff published an article titled “Anthropic secretly installs spyware when you install Claude Desktop.” He had found native messaging host manifests written by Claude Desktop into seven Chromium-based browser directories on his Mac, including four browsers he had never installed; the manifests pointed at a binary inside the app bundle and pre-authorised three browser extension IDs to invoke that binary outside the browser sandbox at user privilege level. No consent dialog, no opt-in, no mention in the application’s documentation. The manifests were rewritten on every app launch. Thirty-one separate installation events across his log files.
I read his article and checked my own machine. I found exactly what he described. Then I kept going.
Over four sessions between April 21 and April 24, 2026, I conducted a systematic investigation of Claude Desktop for macOS. The investigation used Claude itself as the primary instrument; a tool that allows Claude to execute shell commands on the user’s Mac provided read-only access to the application bundle, its configuration files, its log streams, its process tree, and portions of its source code. All probes were read-only. The only modification to system state was a lockout applied to the native messaging host directories during the first session to mitigate the vulnerability disclosed byHanff, which I will describe below.
The investigation produced eleven findings that are not publicly documented as of April 24, 2026. Seven are entirely novel; four are partially novel (the general class of issue is known, but the specific instance is new). Additional findings with security implications have been disclosed to Anthropic under responsible disclosure; specific exploitation paths, file paths, and source code extracts are withheld from this version of the article, but may be published at a later date after the disclosure window closes.
I have organised the findings by severity, beginning with the three I consider critical.
Critical Findings
1. An unsandboxed video capture service runs on every launch
Claude Desktop spawns seven child processes at startup. Six of them run inside the Chromium sandbox. The seventh is a video capture service, and it runs with sandboxing explicitly disabled.
The service is currently idle on my machine. It has no device handles open, no camera frameworks loaded, no active capture sessions. But it is running, on every launch, with full user privileges and no sandbox isolation. The application holds a camera entitlement; the service inherits the application’s permissions. If an attacker achieves main-process code execution through any vector, the service is available to be directed without triggering a new operating-system consent dialog.
The gap between “the user can upload photos from their camera” and “an unsandboxed video capture service runs at all times regardless of whether the user has ever used camera features” can be large, depending on your perspective.
2. The error-monitoring SDK captures screenshots of conversations
Claude Desktop integrates the Sentry error-monitoring SDK. Anthropic’s public documentation for Claude Code describes this integration as “operational error logging” and provides an environment variable to disable it. No equivalent variable exists for the Desktop application. The documentation does not mention what the SDK actually does beyond logging.
The SDK includes a Screenshots integration that captures window screenshots when error events fire. Separately, it includes a Session Replay capability that, when server-side enabled, records user interactions continuously.
The screenshots are not hypothetical. I documented multiple organic crashes in a short window from a single day’s log on my own machine. Each crash fires the error handler. Each error handler invocation triggers the Screenshots integration. The screenshots capture whatever is on screen at the moment of the crash, which in a desktop chat application means conversation content.
Sentry is a third-party service outside Anthropic’s direct infrastructure control. Anthropic has made a trust decision to route error telemetry through Sentry that may include screenshots of conversations, stack traces containing file paths, device fingerprints, and possibly user identity. The specific attack chains this enables have been disclosed to Anthropic and are withheld from this article.
3. Permission bypass mechanisms exist in shipping Desktop code
The --dangerously-skip-permissions flag is well-documented for Claude Code’s command-line interface and has been extensively discussed in public security analyses. The finding here is narrower: permission bypass mechanisms also exist in the Desktop application’s sessions bridge source code, including modes that disable all permission checking for browser-extension-initiated actions. The code paths exist in shipping software. They are gated behind feature flags and configuration values, but they are present and functional.
The concept of permission bypass in Claude’s tooling is not new. That it extends into the Desktop application’s bridge infrastructure, where it applies to actions initiated through the browser extension rather than the CLI, has not been publicly documented. The specific gates, flag identifiers, and session-level configuration values have been disclosed to Anthropic.
High-Severity Findings
4. Local credential storage enables environment impersonation
The application’s configuration directory contains an encrypted OAuth token cache alongside an unencrypted file that stores environment identifiers and session state. The encryption key is stored in the macOS Keychain. If the Keychain entry’s access control list is bound to the signing team ID rather than to a specific binary hash, any application signed by the same team can read the key, which combined with the unencrypted environment identifiers would allow an attacker to impersonate the user’s environment to Anthropic’s backend.
The specific files, encryption parameters, and Keychain entry details have been disclosed to Anthropic.
5. Container file paths leak through artifact resolution
When Claude Desktop resolves artifacts for display, it transmits container file paths as URL query parameters in requests to Anthropic’s infrastructure. The paths contain project names, tool names, and working directory structures. Combined with an organisation identifier embedded in the endpoint URL, this creates a persistent metadata side channel that accumulates a profile of the user’s working environment over time.
6. The Cowork plugin permission gate defaults to open
Cowork plugins execute CLI binaries inside the VM with injected authentication tokens. The permission gate pattern-matches against rules declared in plugin manifests. If no rule matches the command, the gate defaults to permitting execution. The design is default-open rather than default-closed; a plugin whose manifest omits a rule for a particular command implicitly permits that command to run without checks.
7. The local database stores plaintext conversation history alongside encrypted credentials
The application ships with database migration files that define a schema for storing encrypted API keys, cloud credentials, and OAuth tokens alongside plaintext conversation history, code execution logs including source and output, host call logs, custom system prompts, and filesystem access grants. The encrypted credentials and the plaintext data sit in the same database, which means a single database compromise exposes both categories.
The database is created lazily and does not yet exist on my machine. The schema is present in the application bundle and will be instantiated on first use of certain features.
Moderate-Severity Findings
8. Six subsystems initialise regardless of user configuration
Hanff documented one instance: the Chrome Extension MCP writing native messaging host manifests despite no user opt-in. The pattern extends to five additional subsystems.
The Chrome Extension MCP subsystem initialises on every launch and attempts to participate in the tool result pipeline regardless of whether the user has disabled it in settings. The sessions bridge reads state and performs backend registration before the local configuration can prevent it. The BLE buddy subsystem registers its communication channels unconditionally and sends telemetry about paired device count regardless of whether developer mode is active. Three additional services (artifact resolution, audio, and video capture) initialise as part of the process tree with no configuration gate.
Configuration toggles in the application’s settings UI change stored values. They do not change runtime behaviour. A user who disables every optional feature still runs all six subsystems on every launch. The toggles produce the appearance of control without the substance.
Under PIPEDA, which governs in my jurisdiction, consent must be meaningful. A configuration option that the application ignores is the appearance of consent without the substance. The user believes their choice has been honoured because the UI accepted it; the application proceeds as though the choice was never made.
9. A stable VM identity persists across months of sessions
The code execution VM maintains a stable identifier that has not changed on my machine in three months. Combined with the artifact path leakage documented in Finding 5, this creates a durable cross-session machine fingerprint that Anthropic’s infrastructure can correlate across conversations, projects, and time.
10. The BLE buddy auto-accepts certain pairing modes
Anthropic publicly released the Hardware Buddy as a developer feature on April 20, 2026, documenting it as requiring Developer Mode activation. The official documentation says “The BLE bridge is off by default.”
The source code tells a different story at the edges. The subsystem’s communication channels register on every launch regardless of developer mode. Telemetry is sent unconditionally. And the pairing mechanism includes a path where certain BLE pairing modes are auto-accepted without user interaction. The practical exploitability of this path depends on BLE stack behaviour that I have not tested, because testing it would require building a device to exploit it, which is outside the scope of read-only reconnaissance. The specific pairing mode and its implications have been disclosed to Anthropic.
11. The sessions bridge relays full conversations
The sessions bridge is not a session management service. Source analysis confirms that full user messages, assistant responses (including tool-use blocks), tool permission requests, and control requests all flow through the bridge between the remote transport and the local session manager. Every conversation turn passes through it. Message content is logged to the main process log.
The bridge sends the machine’s hostname to Anthropic’s backend on every environment registration. It persists session metadata and message identifiers to disk. A conflict response from the registration endpoint can expose one user’s machine hostname to another user, a finding whose details have been disclosed to Anthropic.
Two additional observations that do not warrant standalone findings but belong in the record: the application checks for VPN interfaces at startup, purpose unknown; and an additional permission mode exists in the configuration alongside the bypass mode documented in Finding 3, also purpose unknown.
What Anthropic Needs to Fix
I am not going to prescribe specific technical remediation for each finding. Anthropic’s engineering team understands their own codebase and is better positioned than I am to determine how to fix what they built. What I can say is what the findings, taken together, tell a user about the relationship between what the application claims to do and what it actually does.
The application claims to respect user configuration, but apparently six subsystems ignore their configuration toggles. The application claims Sentry integration is for error logging, but it is also for screenshot capture of conversation content. The application’s public documentation describes the BLE bridge as off by default, but the bridge’s channel infrastructure registers on every launch.
The settings UI presents toggles that produce no change in runtime behaviour. The consent model is cosmetic. A feature the user turns off should turn off. A telemetry integration that captures screenshots of conversations should be disclosed as a telemetry integration that captures screenshots of conversations. A permission bypass mode that exists in shipping code should be documented, not discovered through source analysis. These are not difficult standards to meet. That they need to be stated at all, about a company that has built its public identity around safety and trust, is its own kind of finding.
Future Directions
This is just the first audit. Having utilized Claude to examine the Claude desktop app, I’ve now developed a set of first principles to examine others. In the coming days / weeks, I will conduct a similar audit of the desktop applications for both ChatGPT and Gemini. Findings will be shared on this blog.
Responsible Disclosure
Several findings in this investigation have exploitation paths with potential security implications. These findings, including specific file paths, source code extracts, feature flag identifiers, configuration values, and reproduction steps, were disclosed to Anthropic’s security team.
The investigation was conducted on my own machine, using my own licensed copy of Claude Desktop, with Claude as the primary instrument.
References
Hanff, A. (2026, April 18). “Anthropic secretly installs spyware when you install Claude Desktop.” That Privacy Guy.
The Register. (2026, April 20). “Claude Desktop changes software permissions without consent.”
Anthropic. (2026). Claude Code documentation: Data usage. code.claude.com/docs/en/data-usage
Anthropic. (2026, April 20). anthropics/claude-desktop-buddy GitHub repository.
LayerX Security. (2026, February 12). “Claude Desktop Extensions Exposes Over 10,000 Users to Remote Code Execution Vulnerability.”
Koi Security. (2025, November 5). “PromptJacking: The Critical RCEs in Claude Desktop That Turn Questions Into Exploits.”