How come @AnthropicAI can't even reply to an issue like this? github.com/anthropics/claude… The issue claims that the per-domain permissions on their Claude-in-Chrome plugin can be bypassed on disk. This means that if Claude has access to write to this file (under your username, in your home directory), it has permission to bypass the only permission boundary allowing full take-over of your browser for any site that isn't on their explicit block list (financial institutions etc). It's not reasonable to rely on the model's decisions as a security model. The binary question is, what could the agent do if some input text convinced it to? And if you install the Claude-in-Chrome plugin, the answer is "take over your whole browser, with all your logged in sessions". It's very irresponsible to be shipping this stuff and pushing it as a default, while being absolutely nowhere on security . My Claude had the Chrome MCP server on by default, and then it tries to use it and complains that the plugin isn't installed. Matthew Honnibal (@honnibal) It's insane that @AnthropicAI shipped the Claude-in-Chrome integration as a default. The only actual security boundary is per-domain, once you've allowed it to access a domain it can do anything. If you're building a web app just get it to generate a Playwright-based MCP tool — https://nitter.net/honnibal/status/2033912367365464397#m

→ View original post on X — @honnibal, 2026-03-17 17:57 UTC