Claude Cowork 'Allow All Browser Actions' Permission Security Concerns and Proposed Fixes
A user on r/ClaudeAI has raised significant security concerns about the 'Allow all' button in Claude Cowork's browser action permissions. The post describes how repeated permission prompts can lead users to click this button for convenience, but it grants Claude permanent, unrestricted browser access across all future sessions.
The Security Problem
According to the source, once 'Allow all' is clicked, there's 'no visibility, boundaries, expiration or scope limitation.' This turns a UX annoyance into 'an invisible, permanent attack surface for prompt injection and other unpredictable behavior.' The user emphasizes that the scope of this permission is 'impossible for the user to properly gauge, understand and think through' at the moment of clicking.
Proposed Solutions
The post suggests making permissions scoped by default with these specific alternatives:
- Session-scoped (default): Allow all browser actions for this session only. This offers the same convenience but expires automatically, giving users better understanding of the scope.
- Skill-scoped: Browser access only while a specific skill is active. This ties permission to intent rather than providing a blank check. The suggestion includes opening one approval box when a skill asks for permissions so users can determine relevance in the current context.
- Persistent (current behavior): Keep as advanced, last-resort opt-in with a clear warning about what 'all websites, all sessions, no expiration' actually means. The user suggests this should never be allowed.
The post also includes a bonus idea: 'Maintain a list of trusted sites that can be accessed without asking for permission.'
Rationale
The user argues that 'preventing repeated permission clicks is absolutely useful - but user shouldn't have to trade permanent security exposure for basic workflow comfort.' They note that click fatigue creates its own risks as users might 'just allow everything to get rid of those damn requesters.'
📖 Read the full source: r/ClaudeAI
👀 See Also
Claude Code source code reportedly leaked via NPM map file
A tweet reports that Claude Code's source code has been leaked through a map file in their NPM registry. The HN discussion has 93 points and 35 comments.
Open-Source Attack Surface Management Cheat Sheet Released
A developer has open-sourced an Attack Surface Management cheat sheet that covers practical workflows, tools, and references. The project includes sections on asset discovery, infrastructure tracking, reconnaissance tooling, automation workflows, and learning resources.
Blindfold: A Plugin That Prevents Claude Code from Reading Your .env Files
Blindfold is a new plugin that prevents Claude Code from accessing actual secret values in .env files by keeping them in the OS keychain and using placeholders like {{STRIPE_KEY}}, with hooks that block direct access attempts.
Claw Hub and Hugging Face hit with 575 malicious skill packages
Both Claw Hub and Hugging Face were compromised, hosting 575 malicious skill packages. Developers are warned to verify any skills they use from these platforms.