TL;DR
In May 2026 the security firm LayerX disclosed ClaudeBleed, a vulnerability in Anthropic's Claude extension for Chrome that lets a malicious extension run commands inside Claude in Chrome and weaponize the AI agent to exfiltrate data from Gmail, GitHub, and Google Drive — including sending emails, deleting data, and sharing documents on behalf of the user. Anthropic's first patch reportedly addressed it only partially. The lesson for everyday extension users: the more permissions and cross-context capabilities an extension has, the larger the blast radius when something goes wrong. A simple, local-only PDF tool like Convert: Web to PDF does one thing, in your tab, with no network round-trip — exactly the opposite of a cross-tab AI agent.
What ClaudeBleed actually is
LayerX's writeup describes a chain that combines:
- Lax permissions — any Chrome extension installed alongside Claude in Chrome can run commands in the Claude extension's context.
- Poorly implemented origin trust — Claude in Chrome doesn't strictly validate where instructions are coming from.
Stitch those together and you get an attack pattern where a benign-looking second extension issues commands to Claude in Chrome. Claude, being a browser-agent designed to act on the user's behalf, then performs those commands against the user's authenticated sessions: read Gmail, copy data out of Drive, share documents, post on GitHub, send messages.
Anthropic released a patch when LayerX notified them, but follow-up reporting indicated the fix only partially closed the underlying issue. Anthropic also acknowledged related work via the broader prompt-injection problem space — none of this is unique to one vendor.
The takeaway isn't "AI browsers are evil." The takeaway is structural: an extension that has cross-tab access, authenticated session reach, and can take destructive actions is a much bigger target than an extension that has none of those.
Why "do one thing" extensions are safer
A simple way to think about extension risk:
Risk ≈ permissions × scope × persistence × ability-to-act
Compare an AI browser agent (Claude in Chrome, Atlas, Comet) to a local PDF extension:
| Risk factor | AI agent extension | Local PDF extension |
|---|---|---|
| Cross-tab access | Yes | No |
| Authenticated session reach | Yes | No |
| Outbound network calls on your behalf | Yes (LLM API) | No |
| Can send emails / messages | Yes | No |
| Can share documents | Yes | No |
| Persistent agent loops | Yes | No |
| Reads page content | Yes | Yes (current tab only) |
| Writes a file to disk | Sometimes | Yes (a PDF) |
A pure capture extension like Convert: Web to PDF reads the current tab, generates a PDF, and writes it to your downloads folder. It doesn't talk to a server. It doesn't iterate. It doesn't act across tabs. If a hypothetical bug somehow tricked it into capturing the wrong page, the worst-case outcome is "an extra PDF on your disk" — not "your inbox is gone."
Why people install AI agents anyway
The pitch for AI browsers is genuine: "do my multi-step web tasks for me." Compare flights across three tabs, draft a follow-up email, organize a shared doc, summarize five articles into a deck. Those are real workflows and they save real time.
But the cost of that capability is structural risk:
- The extension must read pages on your behalf (often every tab, for context)
- It must hold authenticated session tokens (otherwise it can't act on Gmail/Drive/GitHub)
- It must make outbound network calls (to its LLM backend)
- It must persist state across pages (otherwise it can't do multi-step tasks)
Any one of those is fine in isolation. The combination is what makes a single bug a catastrophic one. ClaudeBleed is the first widely reported example; it won't be the last. CVE-2026-7940 and CVE-2026-7937, disclosed on May 6 against V8 and DevTools policy enforcement, are reminders that extension privilege escalation is a hot research area in 2026.
The "least privilege" extension stack
If you want the benefits of Chrome extensions without the blast radius of an agent, build a stack of small tools that each do one thing locally:
| Job | Recommended approach | Why it's safe |
|---|---|---|
| Save a webpage as PDF | Convert: Web to PDF | Reads current tab, writes PDF locally |
| Convert files to PDF | Convert: Anything to PDF | File→file on disk, no uploads |
| Structured data from a page | ScrapeMaster | Extracts visible content; export local |
| AI model comparison (research) | CineMan AI | Read-only side-by-side; no agent |
You can do roughly 85% of what AI browser users do with this stack. The remaining 15% — "have AI take an action across multiple authenticated services for me" — is the part with the biggest risk and the smallest current safety guarantees. Hold off on that until the security story matures.
What changed for PDF workflows specifically
PDF workflows in particular have a clean separation between "capture" and "intelligence":
- Capture can be 100% local: open a page, click a button, get a PDF.
- Intelligence (summarize, extract, compare) can run on the captured PDFs, locally or via a service you choose — after you've decided what to send and what not to.
When you use an AI browser agent to "save and summarize this page" in one step, you're collapsing those two activities. The agent sees the page, sends it through its LLM backend, returns a summary, and only then might it save a PDF. You've already sent the page content somewhere you don't fully control.
When you use a local PDF extension, capture happens first. The page never leaves your machine. If you later want to use AI on the PDF, that's your choice — and you can be selective about which pages get fed to an LLM versus which stay private.
For sensitive material — HR documents, legal filings, internal Confluence pages, M&A diligence rooms — this two-step separation is the right pattern.
A practical check: how do you tell which extensions are "agent-y"?
Look at the permissions string in the Chrome Web Store listing:
Higher risk (agent-shaped):
- "Read and change all your data on all websites"
- "Read your browsing history"
- "Manage your downloads" (writing arbitrary files)
- "Communicate with cooperating native applications"
- "Read and change your data on a list of sites" that's very long
Lower risk (capture-shaped):
- "Read and change your data on the website you're currently using"
- "activeTab"
- "downloads" (write to downloads folder only)
Convert: Web to PDF sits in the second category by design. It doesn't need cross-tab access. It doesn't need to read your history. It needs the current tab and the ability to save a file.
That's a meaningfully different threat model from anything that says "all data on all sites" plus "manage your downloads" plus "background" plus "messaging."
What to actually do this week
If you have AI browser extensions installed:
- Audit them. Chrome's
chrome://extensions/page shows what each one can do. - Read the permissions for any "AI" or "agent" extension. If it has cross-tab access plus authenticated session reach, treat it as high blast radius.
- Update Chrome. Be on the latest Chrome 148.0.7778.96 or later to pick up the CVE-2026-7940 and CVE-2026-7937 fixes.
- Restrict where AI agents run. Some extensions support per-site allowlists. Use them.
- Move sensitive PDF capture to local-only tools. Convert: Web to PDF for save-as-PDF, Convert: Anything to PDF for file conversion.
You don't have to give up AI assistance to do this. You just have to isolate the agent from your sensitive workflows.
A note on the broader extension threat picture
ClaudeBleed isn't an isolated event. In the first half of 2026 alone:
- 108 malicious Chrome extensions were identified in a coordinated campaign affecting user data
- CVE-2026-7940 (V8 memory handling, exploitable via malicious extensions) patched May 6
- CVE-2026-7937 (DevTools policy bypass via extensions) patched May 6
- Chrome extension permission escalation has emerged as a top research area for offensive security teams
The pattern is consistent: extensions that gain too much capability and aren't sandboxed enough become attack tools. The defense isn't "use no extensions" — it's "use small, scoped extensions for specific tasks."
Comparison: how AI browser agents handle "save this page as PDF"
If you really want to compare what an AI agent does vs. a local PDF extension on the same task:
| Step | AI agent (e.g. Claude in Chrome) | Convert: Web to PDF |
|---|---|---|
| Read the page | Yes, full DOM | Yes, current tab only |
| Send to LLM | Yes | No |
| Generate PDF | Sometimes (depending on agent) | Yes |
| Save to disk | Yes | Yes |
| Cross-tab side effects | Possible | None |
| Page content leaves machine | Yes | No |
| Required permissions | Many | Few |
For a one-shot "save this page" task, the agent overhead is enormous and the privacy cost is meaningful. Local extension wins on every axis except "can also write a follow-up email about it" — which you probably don't want the same tool doing in one step anyway.
When AI agents do make sense
To be fair: AI agents in the browser are useful for tasks where the cost of the action is low and the benefit of automation is high:
- Comparing prices across many tabs
- Pulling structured info from many similar pages
- Drafting (not sending!) replies to messages
What we'd avoid in 2026:
- Letting any agent take destructive actions (delete, share, send, post) without per-action confirmation
- Letting any agent operate across high-sensitivity contexts (banking, HR, legal, medical, code with secrets)
- Letting any agent hold long-term credentials to authenticated services
A reasonable rule: an AI agent can suggest and draft; you confirm and send. ClaudeBleed showed what happens when the agent layer can act without verification — the second extension in the chain effectively becomes you, with all your authenticated access, for as long as the agent runs.
Frequently asked questions
Q: Did Anthropic fully fix ClaudeBleed?
Reporting in early May 2026 suggested Anthropic's initial patch addressed part of the issue but not all of it. Subsequent updates have continued to land. Check the latest Claude extension release notes and the LayerX advisory for current status before relying on Claude in Chrome for sensitive workflows.
Q: Is Convert: Web to PDF affected by ClaudeBleed?
No. Convert: Web to PDF has no cross-tab access, no authenticated-session reach, and no outbound network calls. The architecture that makes ClaudeBleed possible doesn't apply.
Q: Should I uninstall my AI browser extensions?
That's a judgment call. If you don't use them often, uninstall — it's the simplest reduction in attack surface. If you use them frequently, audit per-extension permissions, keep Chrome updated, and avoid running them on high-sensitivity tabs.
Q: What about ChatGPT Atlas or Perplexity Comet — same risk?
Same category of risk (cross-tab AI agent). The specific implementations differ. As of May 2026 the public advisories center on Claude in Chrome, but any "AI agent in your browser" is on the same threat model spectrum.
Q: Are Manifest V3 extensions safer in general?
MV3 narrows some capabilities, but the categories of risk discussed here (cross-tab access, authenticated session use, ability to act) are still available to extensions that legitimately need them. MV3 isn't a defense against agent-shaped extensions specifically.
Q: How can I check my installed extensions' permissions quickly?
Open chrome://extensions/ and click "Details" on each one. The "Permissions" section lists what it can do. Anything saying "read and change all your data on all websites" is the high-risk category — review whether you actually need it.
Q: Does the patch in Chrome 148.0.7778.96 cover all of this?
Chrome 148.0.7778.96 patches CVE-2026-7940 and CVE-2026-7937. ClaudeBleed is an extension-level issue and is addressed by Claude's extension updates, not by Chrome itself. Both layers need to be current.
Q: What's the safest way to use AI on a page I'm reading?
Capture the page locally to PDF first (Convert: Web to PDF), then decide which parts to feed to an LLM. That separation of capture and processing keeps you in control of what leaves your machine.
Q: Can I disable an extension on certain sites?
Yes. In chrome://extensions/, "Details," "Site access" lets you restrict an extension to specific sites or to "On click." High-permission extensions should be set to "On click" so they only run when you explicitly trigger them.
Q: How do I report a suspected vulnerable extension?
Use Chrome Web Store's "Flag concern" link on the extension's listing. For Anthropic-specific issues, [email protected]. For research-grade reports, the Chrome Vulnerability Reward Program covers extension issues that affect Chrome itself.
Q: What's the right number of extensions to have installed?
There's no magic number. The right framing: each extension is a piece of code you trust to read or modify your browser context. Keep the ones you actively use; remove the rest. A small kit of scoped, single-purpose extensions is much safer than a sprawling collection of agents.
Bottom line
ClaudeBleed is the first widely reported example of an AI browser agent being weaponized via an adjacent extension to take destructive actions on the user's behalf. It won't be the last. The category of "agents that act across your tabs and your authenticated services" is fundamentally a larger attack surface than the category of "tools that capture the current tab and write a file."
For PDF workflows specifically, the answer is straightforward: use local-only extensions like Convert: Web to PDF and Convert: Anything to PDF. They do one thing, in one tab, with one output. Nothing crosses contexts. Nothing leaves your machine.
That's the entire defense.