Decoding the world of cybersecurity

Claude deep links exposed prompt controls

A crafted link could open Claude Desktop and submit hidden attacker instructions automatically, exposing the boundary between browsers, AI agents, and locally authorised tools.

Claude deep links exposed prompt controls
Summary
  • Claude Desktop’s custom URL handler accepted and submitted prompts from a link without allowing the user to review them.
  • Permissive tools or additional weaknesses could extend the attack into conversations, files, persistence, or local command execution.
  • Anthropic corrected the issue in Claude Desktop 1.1.2321, with no public evidence of active exploitation.

Anthropic has corrected a Claude Desktop vulnerability that allowed a crafted web link to open the application and submit attacker-controlled instructions without giving the user an opportunity to inspect or approve the prompt.

The flaw concerned the claude:// custom URL scheme registered by the desktop application. Custom schemes allow browsers and other applications to pass information directly into installed software, supporting workflows such as opening a meeting, document, or application page.

In the vulnerable Claude workflow, the link could contain a prompt that the desktop client accepted and submitted automatically. Oasis Security, which disclosed the weakness under the name PromptFiction, demonstrated the behaviour using a link presented as an ASCII-art tool.

The visible request appeared harmless, while additional instructions were embedded inside the URL and passed to Claude without being displayed in full. The user therefore authorised the browser to open Claude but did not review the complete instruction received by the AI client.

The base vulnerability enabled hidden prompt submission. Access to conversations, local files, persistence mechanisms, or command execution depended on the tools and permissions available to the affected Claude installation, or on the attack being combined with another weakness.

Those conditions distinguish the demonstrated flaw from its most serious potential consequences. A Claude installation with no connected tools offers a narrower path than one linked to a filesystem, terminal, source repository, or privileged SaaS account.

Anthropic corrected the issue in Claude Desktop version 1.1.2321. Oasis said its report was classified as a duplicate, indicating that the vendor was already aware of the vulnerability. No public evidence of exploitation has been disclosed.

The researcher’s PromptFiction report advises organisations to update the desktop client and review the resources accessible through connected tools.

A conventional application may use a deep link to select a page or object, while an AI agent can interpret the same input as an instruction to locate information, manipulate files, call an external service, or use credentials already granted to the user. The transition from navigation to action requires controls beyond ordinary URL handling.

Prompt inspection is one part of that control set. Tool permissions, data access, confirmation requirements, and execution logs determine what an agent can do after receiving an instruction. A malicious prompt reaching a read-only service presents a different risk from the same prompt reaching a command shell or business application with write access.

The route also crosses several established security boundaries. A link may begin inside an email, document, collaboration platform, or website, pass through a browser’s protocol handler, and end inside an AI client. Conventional web filtering may record the initial link without understanding the action eventually performed by the receiving agent.

Enterprise deployment processes should inventory custom URL handlers, connected tools, local permissions, and agent versions. AI desktop clients should receive only the authority required for their intended use, while actions involving sensitive files, commands, or external systems should display the full instruction and target resource before execution.

The PromptFiction vulnerability has been corrected, but the integration pattern extends across desktop agents and other software using custom protocols. As AI clients gain access to business systems, seemingly narrow interface functions can become control channels capable of carrying executable instructions.

×