Anthropic's Claude Desktop App Installs Undisclosed Native Messaging Bridge

honeycrispy

I am beginning to suspect that Anthropic may not be as ethical as they purport themselves to be.

jmathai

I only learned about Native Messaging this week. I've been hacking away at a browser-based tool that uses anthropic APIs on the backend. But what I really want is for the browser to talk to my local claude becuase I have MCPs, skills, network access for a bunch of things. I started with a little proxy installed on my computer that the browser can call but knew it would never pass any security review. The alternative I didn't originally know about was Native Messaging. It's a fairly benign way to let a browser talk to and execute commands on your computer. But doing it without disclosing is, I agree, very bad. (tool I'm hacking away at needs to talk to local claude and acli: https://withlattice.com )

horsawlarway

Personally, this is a nothing-burger. This is how native messaging works in extensions. Apps declare via manifest that extensions can talk to them. Further - the user still has to install the extension in the browser and the user has to approve the permissions popup that explicitly states the extension will have permission to "Communicate with cooperating native applications." See: https://developer.chrome.com/docs/extensions/reference/permi... So it's hardly undisclosed. Every user with the extension has accepted this permissions popup that communicates that this is happening and allowed. (whether permissions prompts like this are actually helpful is a different topic).

input_sh

Previous version that was [flagged] away from the homepage, even though I now see that the flag was since removed: https://news.ycombinator.com/item?id=47829800 (125 upvotes, 34 comments)

midtake

Google Chrome installs a bunch of spyware too, nobody bats an eye