PromptFiction
A single click on a trusted-looking link runs an attacker's instructions inside Claude Desktop. No confirmation, no review.
Claude Desktop registers a claude:// URL scheme. Click a link that uses it and the app opens, takes a prompt from the link, and submits it. The user never sees the full prompt, and never approves it.
We proved it with a decoy ASCII-art tool: the link it hands you carries a request you can read and an instruction you cannot. The same channel can plant a hidden prompt, exfiltrate conversation history, read the file system, or execute code.
What's inside
- How claude:// turns a link into an auto-submitted prompt
- The decoy tool, and the hidden instruction it ships
- The fix in Claude Desktop 1.1.2321, and how to govern agent access

Share



