Cybersecurity

The AI Sheep-Whisperer: How Any Website Could Put Words In Your Flock's Mouth

Victor Woolridge

2 min read
The AI Sheep-Whisperer: How Any Website Could Put Words In Your Flock's Mouth

I have been warning about browser extensions since Netscape Navigator was considered cutting-edge technology. Nobody listened then. Nobody listens now.

Researchers at Koi Security disclosed a rather spectacular hole in the fence affecting Anthropic's Claude Chrome Extension. The short version: any website, any website at all, could silently inject prompts into the Claude assistant as if the lamb sitting at the keyboard had typed them personally. No clicks required. No warnings. The flock just sat there, chewing grass, completely unaware their AI assistant had been quietly redirected by a passing wolf.

Zero-click. That is the phrase that should make your blood run cold. The attacker does not need the user to do anything foolish. Which is, frankly, a relief, because asking the flock NOT to do something foolish has historically been a losing proposition.

This is a prompt injection attack, and if you are surprised that an AI assistant bolted directly onto your browser as a third-party extension could be manipulated by hostile web content, I genuinely do not know what to tell you. I have notes from 1997 that predicted exactly this category of problem. They are on a floppy disk. The floppy disk still works, which is more than I can say for modern security architecture.

The extension was essentially reading page content and passing it along to the model with insufficient boundaries between "what the user asked" and "what the website told it to ask." The wolf did not break the fence. The fence had a gap in it before the first sheep ever arrived.

The Shepherds, naturally, were nowhere to be found until the researchers filed a responsible disclosure report. Anthropic has since patched the extension. Shearing has occurred. Whether it was thorough shearing is, as always, a matter of professional skepticism.

My professional skepticism is currently at maximum capacity.

Remediation

For the Flock: Update the Claude Chrome Extension immediately. If you do not know what version you are running, you have larger problems and I suggest a long sabbatical from the internet.

For the Shepherds: Browser extensions that consume and process arbitrary web content require aggressive sandboxing and strict prompt boundary enforcement. This is not optional. Audit every AI extension you have approved for enterprise use. Yes, all of them. Yes, right now.

For Everyone: The Sky Pasture and its associated AI tools are not inherently trustworthy surfaces. Treat them accordingly. The Sheep Tunnel helps, but it does not fix bad extension architecture. Nothing fixes bad extension architecture except not having bad extension architecture.

Stay paranoid out there, the wolves certainly are.

Original Report: https://thehackernews.com/2026/03/claude-extension-flaw-enabled-zero.html