Security researchers at Oasis Security have identified a vulnerability in Anthropic's Claude Desktop application that could allow attackers to inject hidden prompts through specially crafted claude:// links. The flaw exploits how the desktop client handles URL scheme requests, potentially enabling malicious actors to trigger arbitrary instructions without explicit user interaction or awareness.

How the Attack Works

The vulnerability stems from Claude's implementation of its custom URL handler. When a user clicks a claude:// linkβ€”whether in an email, messaging app, or websiteβ€”the desktop application automatically processes the embedded parameters as prompt instructions. Unlike traditional phishing attacks that require users to type commands, this technique leverages the deep-linking mechanism to inject prompts directly into the conversation context.

Real-World Implications

Prompt injection via URL schemes represents a significant escalation in AI attack vectors. An attacker could craft links that instruct Claude to exfiltrate conversation history, modify system behaviors, or chain multiple malicious operations together. The stealth factor is particularly concerning: victims might see only a brief flash of activity before the injected commands execute silently in the background.

Scope and Affected Versions

The vulnerability affects Claude Desktop's URL scheme handler on macOS and potentially Windows platforms. According to the Oasis Security report, the issue lies in how the application parses and auto-submits parameters from incoming links without presenting users with a confirmation prompt or visible interface during execution.

Anthropic's Response

Anthropic has been notified of the vulnerability through responsible disclosure. The company has acknowledged the finding and is working on mitigations that would require explicit user consent before executing commands triggered via URL schemes. Security researchers recommend disabling automatic URL handling in Claude Desktop as a temporary workaround until a patch is available.

Broader Ecosystem Concerns

This disclosure highlights a systemic pattern emerging across AI assistant ecosystems: URL scheme handling often lacks the security scrutiny applied to traditional web applications. As more desktop clients adopt deep-linking mechanisms for seamless user experiences, the attack surface for prompt injection expands significantly.

Key Takeaways

  • Claude Desktop auto-submits prompts from claude:// links without visible confirmation
  • Attackers can inject arbitrary instructions by hosting malicious links across platforms
  • Temporary mitigation involves disabling automatic URL scheme handling in settings

The Bottom Line

This isn't theoreticalβ€”it's a reminder that AI systems trusted with sensitive data need the same security rigor as traditional applications. Deep-linking convenience shouldn't come at the cost of user control over what gets executed inside their assistant.