Claude Chrome extension: what “ShadowPrompt” teaches us about trust boundaries

Security researchers at Koi Security described a flaw they called ShadowPrompt affecting Anthropic’s Claude Google Chrome extension. In the worst case, visiting a malicious page could contribute to prompt injection that reached the assistant as if the user had typed it—without a normal permission dialog for that specific action.

What actually went wrong (two linked problems)

The disclosure describes two weaknesses that worked together:

1. A broad origin allowlist
   The extension treated messages from origins matching a *.claude.ai pattern as trustworthy enough to forward prompts into the Claude sidebar. That is convenient for product integration, but it widens the trust boundary: more hostnames inside the pattern mean more places where a bug becomes “extension-grade” serious.

2. A DOM-based XSS in a third-party surface
   A CAPTCHA-related component (Arkose Labs) served from a hostname under that pattern (a-cdn.claude.ai) was reported to have a DOM-based cross-site scripting (XSS) issue. In that scenario, attacker-controlled data could lead to script running in that origin’s context.

Together, an attacker’s page could embed the vulnerable flow in a hidden iframe, use postMessage-style interaction, and end up with JavaScript in an allow-listed origin that could ask the extension to submit a prompt. From the user’s perspective, nothing obvious needed to be clicked for that chain to line up—hence the “zero-click” framing in press coverage.

Impact

If such a chain succeeded, the risks are the usual high-impact ones for AI assistants that can act inside the browser: exposure of session or access tokens, access to conversation history, or actions taken on the user’s behalf (for example sending messages that look like the user). The details depend on what the product allowed at the time.

What changed after disclosure

Responsible disclosure began around December 27, 2025. Anthropic shipped a Chrome extension update (version 1.0.41) that tightened origin checks toward an exact claude.ai match instead of a loose subdomain pattern. Arkose Labs addressed the XSS on their side by February 19, 2026.

If you use the extension, staying on current versions is the baseline hygiene step.

Takeaways

• AI assistant extensions are high-value targets. They sit next to tabs, credentials, and email; “agent-like” behavior increases impact when something breaks.
• Allowlists are only as strong as every origin on the list. A single vulnerable subdomain under a wildcard-style trust rule can become a launch pad for extension-trusted messages.
• Third-party widgets (CAPTCHA, analytics, support chat) are still your trust boundary in practice if your extension trusts their origins.
• Patch cadence matters. Update extensions you keep and remove ones you no longer need.

Practical next step

Review installed extensions, their permissions, and whether you still need them. eSafe can help you see permissions and risk signals in one place.

Go deeper

Analyze an extension before you install → — permissions, publisher signals, and update history.

Report: The Hacker News.