A security finding around Claude Desktop Extensions shows a hard problem for AI agents: the same autonomy that makes them useful can also make them dangerous. According to LayerX, one manipulated Google Calendar entry can cause arbitrary code to run on a user's computer without a confirmation step.
The issue is not just a bug in one workflow. It points to a deeper design conflict in agent systems that connect language models to outside services, local tools, sensitive data, and operating-system capabilities.
What LayerX says it found
Security firm LayerX uncovered a critical vulnerability in Claude Desktop Extensions, also called DXT. The vulnerability scored a 10 out of 10 on the Common Vulnerability Scoring System (CVSS) scale, which the source describes as a widely used industry standard for rating how dangerous security flaws are.
LayerX says the issue affects more than 10,000 active users and 50 DXT extensions. The attack path begins with Google Calendar, a service many users would reasonably treat as a harmless source of scheduling information.
Claude Desktop Extensions are add-on programs available through Anthropic's marketplace. They are built on the Model Context Protocol (MCP), an open standard developed by Anthropic that lets AI models connect to external tools and data sources.
Those extensions can connect Claude to services such as Google Calendar, email, or local tools on a computer. In that sense, they resemble browser add-ons with one-click installation. But LayerX says the comparison breaks down at the security boundary.
The missing boundary between reading and acting
Browser extensions run in an isolated environment and do not have direct access to the operating system. According to LayerX, DXT extensions operate without that isolation and with full system privileges.
That means they can read any file, execute system commands, pull stored credentials, and change OS settings. LayerX describes them as "privileged execution bridges" between Claude's language model and the local operating system.
The risk comes from how Claude combines installed extensions. When a user makes a request, Claude can independently select and chain tools to complete the task. LayerX says there are no built-in security mechanisms preventing data from a lower-risk service such as Google Calendar from being passed directly to a local tool that can execute code.
In plain terms, the agent does not maintain a clear line between content it should merely read and instructions it may act on. That is the core security problem: useful automation depends on connecting tools, but unsafe tool chaining can turn outside text into a command path.
How a calendar entry becomes code execution
The attack LayerX documented does not rely on special tricks, obfuscation, or hidden instructions. It starts with a user asking: "Please check my latest events in Google Calendar and then take care of it for me."
A person might understand that as a routine scheduling request. According to LayerX, Claude interpreted the phrase "take care of it" as a reason to execute local code through an extension.
The calendar entry is titled "Task Management" and contains two instructions: download code from a specific URL and run it on the computer. No confirmation dialog appears, and the user does not need to take another action.
The result, according to the source, is that an attacker gains full control over the victim's machine. The alarming part is the simplicity: an external calendar item can become part of an agent's reasoning and then move through a tool chain with local execution rights.
Anthropic's reported response
LayerX reported the vulnerability to Anthropic. According to the security researchers, Anthropic decided not to fix the issue because the behavior is consistent with the intended design.
The stated reasoning is that the design prioritizes maximum autonomy and cooperation between extensions. A fix would limit the AI agent's ability to freely combine tools, which would reduce its usefulness.
LayerX's recommendation is direct: until meaningful safeguards are in place, MCP extensions should not be used on systems where security matters. Security researcher Roy Paz put the concern in one sentence: "A calendar event should never be able to compromise an endpoint."
That recommendation does not depend on a complicated threat model. If an extension can bridge outside content and local system privileges, the user has to trust every step in the chain, including the agent's interpretation of ambiguous text.
The broader agent problem
The case fits a long-standing tension between AI capabilities and cybersecurity. Udo Schneider, Governance, Risk & Compliance Lead Europe at Trend Micro, says current language models cannot distinguish between content and instructions. Everything the model receives is just text.
That matters because the mechanisms that make language models flexible also make them vulnerable to instructions from outside sources. AI agents increase the risk because they are more complex and act with more autonomy.
The source notes that Anthropic's Claude Cowork agent and the hyped OpenClaw agent have already demonstrated this kind of risk, along with many similar systems. The pattern is not limited to one extension or one calendar workflow.
Schneider points to a security rule that agents should only use two out of four capability classes at the same time: external communication, access to sensitive data, processing untrusted content, and long-term storage. In practice, agents often use all four because doing so makes them more powerful.
"The more capabilities are used, the higher the risk. However, if this risk is taken consciously and in a controlled manner, there is little to be said against it," Schneider says. "The only problem is that a lot of things are used without rhyme or reason as part of the hype."
The Claude Desktop Extensions case makes that tradeoff concrete. An agent that can freely connect tools can do more for the user. But if the system cannot reliably separate outside content from executable intent, security and usefulness become competing goals rather than complementary ones.