LayerX — Claude Desktop Extensions zero-click RCE via calendar event
• Category: Security
AI relevance: This is a tool-chain vulnerability in an LLM agent ecosystem (MCP/Claude Desktop Extensions) that can convert untrusted calendar data into local code execution.
- LayerX reports a zero-click RCE chain where a Google Calendar event can trigger local code execution via Claude Desktop Extensions.
- Desktop Extensions are MCP servers packaged as .mcpb bundles that run on the host machine.
- Unlike browser extensions, these connectors execute unsandboxed with full system privileges.
- The attack hinges on autonomous tool chaining: a low-risk connector (Calendar) feeds data into a high-risk local executor.
- LayerX says the issue impacts 10,000+ active users and 50+ extensions.
- The report assigns CVSS 10.0 and notes the architectural trust-boundary problem remains unresolved.
Why it matters
- Agentic desktop tooling can turn benign data sources into privileged execution paths.
- “Low-risk” connectors become high-risk when they can silently invoke local tools.
- It underscores the need for hard boundaries between untrusted context and local execution.
What to do
- Gate privileged tools behind explicit, user-visible confirmation.
- Sandbox MCP connectors or run them with least-privilege OS accounts.
- Audit tool-chaining policies so untrusted inputs cannot reach local executors.