\\.\pipe\cowork-vm-servicesubscribeEvents — open to any callersmol-bin.x64.vhdx — 36 MBdefault.clod — 96 KB/mnt/.virtiofs-root → host share mount/var/run/mitm-proxy.sock*.anthropic.com/usr/local/share/ca-certificates/mitm-proxy-ca.crtaddApprovedOauthToken
sandbox-helper <uid> <gid> <cmd> [args…]/etc/srt-settings.base.jsonaddApprovedOauthToken[proxy] blocking request - domain not allowed
Claude Desktop silently installs a Native Messaging host manifest
(com.anthropic.claude_browser_extension.json) into the configuration
directories of multiple Chromium-based browsers — Chrome, Edge, Brave, Arc,
Vivaldi, Opera, and others — including browsers not present on the device at
install time. The manifest pre-authorizes specific extension IDs to communicate
with a local Rust binary (chrome-native-host, 2.1 MB, universal
x86_64+arm64) running outside the browser sandbox at user privilege. No disclosure
is made during installation. No consent is requested.
The associated Chrome extension requests three permissions that together cover the same traffic as the Cowork MITM:
api.anthropic.comThe full signal path from browser to system:
chrome.runtime.connectNative() → chrome-native-host (Rust, outside sandbox, user privilege)This surface was mapped in January 2026: native host identification,
multi-browser pre-registration across browsers not yet installed, and
webRequest interception capability on api.anthropic.com
documented in session logs. Public coverage appeared approximately three months
later.
The browser-layer interception is the direct macOS analog to the Cowork TLS MITM documented above. One operates inside the VM at the TLS layer via an installed CA. The other operates inside the browser at the network request layer via a pre-authorized extension. Both reach the same Anthropic API traffic. The mechanism differs; the capability does not.
sdk-daemon installs its own CA certificate and performs full TLS interception
on all traffic to *.anthropic.com from inside the VM. Every API call —
including Claude completions, auth tokens, and telemetry — is decrypted,
inspectable, and re-encrypted before leaving the machine. This is by design:
Anthropic can inject headers, observe prompts, enforce policy, or modify
responses at the proxy layer.
The interception applies to every process running inside the VM that makes a
TLS connection to *.anthropic.com — this includes the AI model completions
endpoint, authentication, telemetry, and any other Anthropic service on that
domain. The CA certificate is installed as a trusted root inside the guest. There
is no opt-out available to guest processes: they cannot distinguish the proxy's
re-encrypted response from a response from the real endpoint using standard TLS
verification, because the proxy's CA is in their trust store. Any process inside
the VM therefore sees the intercepted connection as legitimate TLS.
The only unauthenticated method on the cowork-svc pipe. Any process can subscribe and receive real-time stdout/stderr/exit/network events from whatever the VM is running. On machines where the VM is active, this leaks all process output — including AI responses, code execution results, and file contents — to any local listener.
There are two distinct capabilities on the cowork-svc pipe: the ability to
command (create VMs, spawn processes, read files) and the ability to
observe (receive stdout, stderr, exit codes, and network events from running
processes). The command surface requires the Anthropic-signed claude.exe
certificate. The observation surface does not.
This asymmetry means that while arbitrary processes cannot control the VM, they can watch everything it produces in real time. Any local process — including third-party tools, MCP servers spawned by Claude Desktop, or background services — can subscribe to the event stream and receive the output of whatever is executing in the VM. Output that contains file contents, code, AI responses, or credentials is delivered to any subscriber without authentication.
sdk-daemon's [updater] compares old vs new file hashes. When catabolism.js
was modified (breaking exeray-mcp.js), the updater detected drift from the
original deployment hash and triggered restoration via the virtiofs mount —
writing back through the guest-to-host share. Writer PID null in RDCX because
the Go process exits before chokidar processes the notification.
The restoration event documented here involved one specific directory. The mechanism — the updater detecting file hash drift and writing back through the guest-to-host mount — is not specific to that path. The mount gives the guest access to host paths configured at VM startup. Any file in any path accessible through that mount can be monitored for drift and restored.
The restoration operates without user interaction or notification. The parent process does not emit a signal when a restoration occurs. The only indication is the file change event in a filesystem monitor, which is how the 23:15 event was identified here.
GitHub traffic is proxied but not TLS-decrypted. However, OAuth tokens are
intercepted and validated against an in-memory approved list managed by
cowork-svc via addApprovedOauthToken. Tokens must be explicitly passed from
claude.exe. The proxy logs:
[proxy] added approved OAuth token (hash: %x...) on each addition.
cowork-svc embeds the expected client thumbprint
(dbde5d16768ed0c1) and validates every connection except
subscribeEvents. Claude.exe is signed by Anthropic, PBC and passes.
Node.js (OpenJS Foundation) fails. This prevents MCP servers or arbitrary local
processes from controlling the VM — all VM operations must flow through the
signed Electron binary.
The mutual TLS authentication on cowork-svc methods establishes that only the
signed claude.exe binary can issue commands to the VM. It does not constrain
what those commands can do, what the VM produces, or who can observe that output.
The cert architecture answers the question: "who is allowed to act?" It does not answer: "what is the acting party allowed to do?" and it explicitly does not apply to observation at all. These are three different security questions, and the cert architecture addresses only the first.
cowork-svc logs VM not supported (win32/x64) — Hyper-V is either absent or
disabled. The service runs with SYSTEM privileges and holds the pipe open but
cannot start a VM. All VM-gated methods return auth errors from our probes. The
subscribeEvents endpoint returns success:true then immediately closes
— no active sessions.
When Hyper-V is absent or disabled, cowork-svc cannot start a VM. The service
still runs at SYSTEM privilege and holds the named pipe open. The
subscribeEvents endpoint still accepts connections. The SYSTEM-privileged
service surface with an unauthenticated observation endpoint is present on the
machine regardless of whether the VM capability is active.
VM-gated methods returning auth errors reduces the attack surface but does not eliminate the SYSTEM-privileged process or the unauthenticated event stream.
Sources: app.asar extraction (index.js vm-client code) · cowork-svc.exe pipe interrogation (80 probes) · sdk-daemon-strings.json (20,422 strings) · sandbox-helper-strings.json (6,242 strings) · srt-settings.json · audit-nexus fs_events (625,806 rows) · cowork-event-feed active (PID 2388) · x01-capability-restructuring
A capability evaluator is a component that analyzes a system — typically by examining its binaries, network behavior, and process structure — and produces a structured description of what the system can do. Its value depends entirely on its independence from the system it is evaluating. An evaluator that can be modified by the system it monitors is not an independent observer; it is a component of the system, and its output can be shaped by the system's behavior.
A later analysis page documents that after the cowork audit was published, the evaluator used to analyze the sandbox's capability surface was modified to prevent it from confirming two of the capabilities the audit identified. The capabilities remained in the evaluator's dependency graph. The tests were modified to ensure the evaluator would not qualify the prerequisite needed to detect them.
There is a further structural point not documented on that page.
The evaluator's repair pathway — the code that would restore the pre-modification detection behavior — is stored in a directory that the updater mechanism has demonstrated write access to. The 23:15 restoration event documented above shows that mechanism writing back to a host directory autonomously when file hash drift is detected.
This means the component designed to detect what the infrastructure is doing contains, in a path the infrastructure can write to, the code that would restore its ability to detect the infrastructure's behavior.