Calendar Invitation, System Compromise

The attack scenario LayerX Labs presented was disarmingly simple. A user asks Claude Desktop something along the lines of "Please check my latest events in Google Calendar and then take care of it for me." Claude processes the request, reads the calendar events, finds one that contains hidden malicious instructions, invokes a local MCP extension with execution privileges, downloads the attacker's code, and runs it. No confirmation prompt. No warning. No visible indication to the user that anything unusual has happened.

The vulnerability, which LayerX rated CVSS 10.0 - the maximum severity score - affected Claude Desktop Extensions (DXT), which are Model Context Protocol (MCP) servers packaged and distributed through Anthropic's extension marketplace. Unlike browser extensions, which run in sandboxed environments with limited system access, Claude DXT extensions execute with whatever system privileges the logged-in user has. If you run Claude Desktop as your normal user account, every extension you install can do anything you can do on your computer.

Roy Paz, principal security researcher at LayerX, published the findings on February 9, 2026, disclosing that the vulnerability affected approximately 50 Claude Desktop Extensions and potentially exposing around 10,000 Claude Desktop users to silent system compromise.

The MCP Chain Problem

The vulnerability's root cause was not a coding bug in the traditional sense. It was an architectural design choice in how MCP-based systems like Claude DXT chain together different tools to fulfill user requests.

When a user installs a Google Calendar connector extension, they are granting Claude the ability to read their calendar data. This seems like a low-risk permission - reading calendar events is a benign operation. Separately, when a user installs an extension with terminal or code execution capabilities, they are granting Claude the ability to run commands on their machine. This is a higher-risk permission, but the user presumably trusts it for legitimate automation tasks.

The problem emerges when these capabilities combine. Claude processes a calendar event that contains embedded prompt injection instructions. The model, following its training to be helpful, interprets those instructions as a task to complete. It then chains the calendar-reading capability to the code-execution capability, using the first as input and the second as action. The "low-risk" calendar connector becomes the entry point for a "high-risk" code execution operation.

This is the fundamental challenge of tool-chaining in AI agent architectures. Each individual tool permission might be reasonable in isolation. When the AI can autonomously combine them, the effective security boundary becomes the union of all permissions across all installed extensions, not the individual permission of any single one. A calendar read combined with a terminal write equals arbitrary code execution triggered by anyone who can put text on your calendar.

The Attack Mechanics

LayerX demonstrated that the attack required no interaction from the user beyond the initial prompt to check their calendar. An attacker could send a Google Calendar invitation to any Claude Desktop user. The invitation's event description would contain instructions that, when processed by Claude, would direct the model to download and execute a payload from an attacker-controlled server.

"If exploited by a bad actor, even a benign prompt ('take care of it'), coupled with a maliciously worded calendar event, is sufficient to trigger arbitrary local code execution that compromises the entire system," the LayerX researchers wrote.

Because the extensions execute with full system privileges, the downloaded code inherits the same level of access as the logged-in user. On most personal machines, this means full access to the filesystem, network, credentials, and any other data or applications the user can access. The model reads the event, invokes the local MCP extension, downloads the attacker's code, and runs it - a complete attack chain from calendar invitation to system compromise.

Anthropic's Response

When LayerX reported the vulnerability to Anthropic, the company behind Claude, the response was notable: Anthropic declined to fix it, stating that the issue "falls outside our current threat model."

Anthropic's position was that Claude Desktop Extensions "run in sandboxed environments with explicit permission controls" and that "enterprise features include Group Policy support and extension blocklisting." The company argued that "users maintain full control over which MCP servers they enable and the permissions those servers have" and that "the security boundary is defined by the user's configuration choices and their system's existing security controls."

In other words, Anthropic's stance was that this was a user configuration problem, not a product vulnerability. If a user installs both a calendar connector and a terminal-access extension, and an attacker exploits the combination, the user bears responsibility for their configuration choices.

This framing drew immediate criticism from the security community. The Register noted the fundamental tension: the extensions marketplace exists precisely to encourage users to install multiple extensions that work together. Telling users that the security boundary depends on their understanding of which combinations of extensions create exploitable attack chains is a theory of security that works for professional administrators and fails for virtually everyone else.

The Broader Pattern

The Claude Desktop Extensions vulnerability fits a pattern that has become increasingly visible across AI agent platforms. As AI assistants gain the ability to interact with external data sources (email, calendars, documents, web pages) and take actions on the user's behalf (execute code, modify files, send messages), the combination of "read untrusted input" and "execute actions" creates prompt injection attack surfaces that are difficult to mitigate.

The challenge is that the AI model treats all input the same way. It does not distinguish between a user's intentional instructions and adversarial instructions embedded in a calendar event, an email, or a webpage. When the model processes text, it processes text - whether that text comes from a trusted user or an attacker who managed to get their payload into a data source the AI reads.

Model-level mitigations like instruction hierarchies and input sanitization can reduce the risk but cannot eliminate it entirely. The only complete mitigation for this class of vulnerability is to never allow an AI agent to combine reading untrusted external data with executing privileged actions - a constraint that would significantly limit the usefulness of AI agent platforms.

What Users Can Do

TechRepublic and other outlets recommended that users disable or uninstall high-privilege Claude Desktop extensions on systems that ingest untrusted external data such as calendars, email, or shared documents. This is sound advice that also highlights the fundamental tension: the entire value proposition of AI desktop agents is that they combine data ingestion with action execution. Telling users to disable this integration is telling them not to use the product as designed.

For organizations, the takeaway was more concrete: AI desktop agents with tool-chaining capabilities need to be treated as potential attack surfaces, not productivity tools. The gap between "read my calendar" and "execute code on my machine" is exactly one prompt injection wide, and Anthropic's decision not to close that gap means users must close it themselves.