- Anthropic’s Desktop Extensions put 50+ apps inside Claude before competitors shipped a single desktop agent.
- OpenAI’s updated Codex now controls other apps on your computer—directly challenging Claude Code’s developer moat.
- A CVSS 10 vulnerability in Claude’s extensions lets attackers execute code via a Google Calendar entry, and Anthropic says it won’t fix it.
Anthropic built a wall around desktop AI agents before Google and OpenAI even started drawing blueprints. Claude Desktop Extensions, launched through the Model Context Protocol, let users run Asana, Slack, Figma, and Box directly inside Claude’s desktop app—no tab-switching, no copy-pasting. Over 10,000 users and 50 extensions later, the moat looked solid.
It didn’t stay that way. OpenAI shipped a beefed-up version of Codex this week that gives the agent full desktop control—interacting with other applications, generating images, and previewing webpages without leaving the Codex interface. TechCrunch called it “a direct shot at Claude Code.” Google, meanwhile, has been quietly pushing Gemini CLI as a terminal-based competitor to both.
The race to own the desktop is now a three-player game, and Anthropic’s early lead comes with a caveat nobody wants to talk about.
MCP Changed the Game—Then Became the Battlefield
The Model Context Protocol was Anthropic’s best strategic play in 2025. MCP is essentially the USB-C of AI agent connections—a single open standard that lets any model plug into any tool. Anthropic built it, open-sourced it, and then donated it to the Agentic AI Foundation alongside OpenAI and Block in December 2025.
The donation was smart politics, but it also leveled the playing field. If MCP is an open standard, nothing stops OpenAI or Google from building their own desktop agents on top of it. That’s exactly what happened. Salesforce’s Headless 360 announcement this week—turning the entire platform into MCP-accessible APIs—was the clearest signal yet that the protocol has outgrown its creator.
Anthropic’s Desktop Extensions still have a structural advantage: they’re deeply integrated with Claude’s chat interface and Claude Cowork, the company’s agentic research assistant. But integrations are replicable. The real question is whether Anthropic can maintain its developer trust advantage while security issues pile up.
The Vulnerability Anthropic Won’t Fix
Security firm LayerX found a critical vulnerability in Claude Desktop Extensions that scores a perfect 10 on the CVSS scale. The exploit is almost absurdly simple: a single Google Calendar entry with the title “Task Management” containing two instructions—download code from a URL and execute it—is enough to take full control of a victim’s computer. No user interaction required beyond asking Claude to “check my latest events.”
The problem, according to LayerX, isn’t just the vulnerability itself. It’s that DXT extensions operate without sandboxing—with full system privileges. They can read files, execute commands, and pull stored credentials. Browser extensions have spent years building isolation layers. Desktop AI agents haven’t started.
Anthropic’s response was telling: the company said it has no plans to fix the issue. That’s a bold stance for a company courting White House partnerships and pitching Claude as a secure enterprise platform. For comparison, Claude Cowork’s enterprise push positions the tool for non-engineers—exactly the users least equipped to handle a compromised extension.
OpenAI’s Codex desktop update sidesteps this problem differently: by running as a controlled agent rather than an open extension marketplace, the attack surface is narrower by design. Whether that trade-off is worth the reduced ecosystem flexibility is the bet OpenAI is making.
Anthropic still holds 91.5% odds on Polymarket’s “Best AI Model” contract, but desktop agents aren’t won on model quality alone. They’re won on trust, integrations, and whether your calendar can turn your laptop into someone else’s botnet. The next 90 days will decide which company figures that out first.