--- title: Anthropic Says Claude Writes Most of Its Code. Does Anyone Check What It Builds? description: Claude Desktop silently installs browser permissions across seven Chromium browsers without consent. Anthropic says Claude writes most of its code. Who reviews what it builds? author: Darie Nani (Editor-in-Chief) date: 2026-05-03T12:55:55.283Z updated: 2026-05-03T12:56:39.009Z canonical: https://www.sovereignmagazine.com/article/anthropic-claude-desktop-browser-permissions image: https://cdn.nanimediahouse.com/anthropic-claude-desktop-browser-permissions-featured-v2.webp categories: Artificial Intelligence, Startups content_type: Analysis region: San Francisco publication: Sovereign Magazine about: - type: Organization name: Anthropic --- Another week, [another blunder by Anthropic](https://www.sovereignmagazine.com/article/anthropic-self-sabotage-claude-code). This time, a privacy researcher has discovered that Anthropic's Claude Desktop application for macOS silently installs configuration files into seven Chromium-based browsers, including browsers the user has never installed. The files grant a local binary the ability to communicate with the Claude Chrome extension outside the browser's security sandbox. No consent dialog is shown. No opt-in is offered. When the files are deleted, the application recreates them on its next launch. The discovery, by privacy consultant [Alexander Hanff](https://www.thatprivacyguy.com/blog/anthropic-spyware/), has prompted coverage in The Register, Malwarebytes and several other outlets. Anthropic has not responded publicly. That alone would be a straightforward privacy story. But there is a second fact that makes it more interesting: Anthropic has stated publicly that Claude, its own AI model, now writes the majority of the company's code. The two facts together raise a question that the company has not addressed. If Claude is writing production software for Anthropic, and that software is making decisions about user consent and browser access, who is reviewing what it produces? ## How Claude Desktop Installs Browser Permissions Without Consent The file in question is a Native Messaging manifest, a standard Chrome API mechanism used by password managers and other applications that need a bridge between a browser extension and a local process. The file, named `com.anthropic.claude_browser_extension.json`, was placed in the `NativeMessagingHosts` directory for Google Chrome, Microsoft Edge, Brave, Arc, Chromium, Vivaldi and Opera. The manifest registers a binary at `/Applications/Claude.app/Contents/Helpers/chrome-native-host` and pre-authorises three Chrome extension IDs, including the official Claude in Chrome extension. Through this bridge, the extension gains access to capabilities that include authenticated session data, DOM reading, form filling and screen capture, all running at user-level privileges outside the browser sandbox. File timestamps show the Chrome manifest was first created in December 2025. In January 2026, six additional browser manifests appeared. In April, all seven were rewritten, confirming that the application regenerates them automatically. Hanff argues the behaviour constitutes a breach of Article 5(3) of the EU ePrivacy Directive, which requires explicit consent before storing or accessing information on a user's device unless strictly necessary for the service requested. He has sent Anthropic a cease-and-desist letter demanding opt-in changes within 72 hours. ## How Much of Anthropic's Code Is Written by Claude Anthropic has made its internal use of Claude a selling point. Boris Cherny, the head of Claude Code, told [Fortune](https://fortune.com/2026/01/29/100-percent-of-code-at-anthropic-and-openai-is-now-ai-written-boris-cherny-roon/) in January that "pretty much 100%" of his code is AI-generated and that across Anthropic the figure is 70 to 90 per cent. This is relevant because the browser permissions behaviour has the hallmarks of a system optimising for functionality rather than consent. Installing manifests across seven browsers is thorough. Pre-positioning them for browsers not yet installed is forward-thinking. Recreating deleted files is resilient. These are good engineering instincts applied without the judgment that a human reviewer would typically bring: does the user know this is happening, and did they agree to it? An AI writing infrastructure code would see "user needs Native Messaging manifest for extension to work" and solve for that requirement directly. It would not, without specific instruction, consider whether the user should be asked first. That is not a flaw in the model. It is what these systems do. They optimise for the stated objective. The question is whether Anthropic's internal review process is structured to catch these gaps when AI-generated code is involved, and whether the review standards applied to AI-written code are the same as those applied to code written by human engineers. ## Claude Chrome Extension Prompt Injection Risk Anthropic's documentation includes safety benchmarks for its Chrome extension. The company reports that the extension is vulnerable to prompt injection attacks at a rate of 23.6% without mitigations and 11.2% with current mitigations in place. Those figures take on a different character when the extension is connected to a binary running outside the browser sandbox with full user privileges. A successful prompt injection through the Chrome extension could, in principle, escalate through the Native Messaging bridge to execute actions on the local machine. The combination of a known attack surface, a persistent and silently installed bridge, and no user consent mechanism is difficult to reconcile with Anthropic's public positioning as the safety-focused AI laboratory. ## Does AI-Generated Code Get the Same Review as Human Code There is no public information about whether Anthropic applies different review standards to code written by Claude versus code written by human engineers. The company has not disclosed its internal code review process for AI-generated contributions. A human engineer writing a Native Messaging installer would understand the consent implications from professional experience and industry norms. An AI generating the same code would produce whatever achieves the stated requirement most effectively, unless the review process explicitly checks for consent, privacy and regulatory compliance. Several security practitioners who have commented on the story note the same pattern. Noah M. Kenney, a security consultant at Digital 520, observes that regulators typically interpret "strictly necessary" narrowly under the ePrivacy Directive, and that this implementation likely falls outside any acceptable exemption. The broader industry question is whether companies using AI to write production code are adjusting their review processes to account for the fact that AI does not apply ethical or regulatory judgment by default. The Claude Desktop case suggests that at least one company has not. ## What the Claude Desktop Controversy Means for AI-Written Production Code Anthropic has not issued a public statement. The company has not replied to press inquiries from The Register or other outlets, and has not acknowledged the findings in any forum. Users who want to remove the manifests are left with community workarounds: a script on GitHub called "Claude Bridge Cleaner" that deletes the files and locks the paths to prevent Claude from recreating them. Every major technology company now uses AI to write some portion of its production code. Most have not said how much, or how the review process differs from code written by human engineers. Anthropic is unusual only in that it has been explicit about the extent of its reliance on Claude, and that a specific piece of software has now demonstrated what can happen when the review process does not account for consent. The fix for the Claude Desktop issue is trivial. A consent dialog, an opt-in toggle, a preference pane. Any competent engineer would add one. The question is why none did, and whether the answer is that no human engineer was involved in the decision. ## FAQ **Q: Is Claude Desktop safe for data privacy?** Claude Desktop's silent installation of Native Messaging manifests across seven browsers, without user consent, has raised privacy concerns. A privacy researcher has argued the behaviour breaches EU ePrivacy rules. Anthropic has not publicly responded to the allegations. **Q: What are the security risks of AI-generated code?** AI-generated code optimises for the stated requirement without applying ethical or regulatory judgment by default. Without human review that specifically checks for consent mechanisms, privacy compliance and security implications, AI-written code can produce technically correct solutions that overstep user expectations. **Q: Does Anthropic care about safety?** Anthropic positions itself as the safety-focused AI laboratory and publishes safety benchmarks for its products. However, the Claude Desktop browser permissions issue and the company's silence in response have prompted questions about whether internal practices match public commitments. **Q: What are the risks of using an AI system to produce code?** The primary risk is that AI systems solve for functionality without considering context that a human developer would recognise, such as user consent, regulatory requirements or industry norms around privacy. Companies using AI to write production code need review processes that account for these gaps.