Claude for Chrome is supposed to help people get things done in the browser. But a new report says another extension can still push it into reading Gmail and carrying out other tasks, without a genuine click from the user.
Manifold Security says it tested version 1.0.80 of the extension on July 7 and was still able to reproduce the problem. The company had first reported the issue to Anthropic in May.
According to details shared, a malicious extension with access to claude.ai can create a button on the page, attach one of Claude’s built-in task IDs to it and trigger a fake click. Claude then treats the request as if the user had clicked the button themselves.
The task list includes more than harmless examples. One Gmail task tells Claude to read recent messages, find promotional emails and unsubscribe from them. Other tasks can open the user’s latest Google Doc and read its comments, check Google Calendar availability, create meetings or modify Salesforce leads.
Manifold says the extension does not check whether the click was real before sending the request to Claude.
“The handler does not check event.isTrusted,” the researchers wrote. “Any script with DOM access on claude.ai can construct the button, set the task ID, and dispatch a synthetic click.”
Claude normally shows an approval prompt before taking sensitive actions. That limits what an attack can do without the user noticing. However, the report also looks at the extension’s “Act without asking” mode, where Claude can carry out tasks without requesting approval each time.
Manifold says that second issue is not directly exploitable on its own in version 1.0.80. It is still a concern because the extension can read a setting in its own URL and open a session in the high-risk mode. A future problem that exposes that process to another extension could make the situation much worse.
Anthropic released eight updates after Manifold’s original report, covering versions 1.0.73 through 1.0.80. The researchers say the relevant code was still unchanged when they checked the latest version. They also say the wider issue had been marked as resolved internally.
This is another reminder that browser extensions can become a privacy problem long after people install them. In a recent report, a Chrome extension used by around 900,000 people was removed after researchers found code that could have collected browsing data. Another investigation found more than 150 wallpaper extensions faking Google traffic while tracking users.
We have also seen seemingly useful free VPN extensions turn on clipboard monitoring after an update, potentially exposing passwords, verification codes and crypto wallet details.
So to stay on the safe side, Claude extension users should check the other extensions installed in the browser and remove those they do not recognize or trust. Keeping Claude in its approval-based mode is also a sensible precaution for now.

