PromptFiction

A single click on a trusted-looking link runs an attacker's instructions inside Claude Desktop. No confirmation, no review.

Claude Desktop registers a claude:// URL scheme. Click a link that uses it and the app opens, takes a prompt from the link, and submits it. The user never sees the full prompt, and never approves it.

We proved it with a decoy ASCII-art tool: the link it hands you carries a request you can read and an instruction you cannot. The same channel can plant a hidden prompt, exfiltrate conversation history, read the file system, or execute code.

What's inside

  • How claude:// turns a link into an auto-submitted prompt
  • The decoy tool, and the hidden instruction it ships
  • The fix in Claude Desktop 1.1.2321, and how to govern agent access
PromptFiction: one-click Claude Desktop vulnerability
Share