Anthropic warns Claude Cowork can run on users' machines with local file access

Anthropic updated its Claude Help Center guidance on May 15 to warn users that Claude Cowork can operate directly on their computers with access to local files, browser sessions, connected services and installed apps. The company said the feature is available on paid Claude plans through Claude Desktop for macOS and Windows, and described it as an agentic system that can take on multi-step tasks beyond standard chat. Anthropic’s new and updated help pages say that capability carries “risks worth understanding” and requires users to be selective about what they allow the software to access. ### What exactly can Claude Cowork reach on a user’s machine? Anthropic’s safety page says Cowork lets Claude work on “your files, browser, connected services, and apps.” The companion setup page says Cowork uses the same agentic architecture as Claude Code, but is surfaced inside Claude Desktop so users can assign longer-running tasks and return later to finished work. (support.claude.com) Anthropic’s computer-use documentation says Claude can navigate the Chrome browser, open files and interact with desktop apps by clicking, typing and moving through the screen “just like you would.” The company says Cowork will generally try connectors first, then browser-based actions, then direct screen interaction if no more precise tool is available. ### When does Anthropic say users should be most careful? (support.claude.com) Anthropic says users should avoid granting Cowork access to local files containing sensitive information such as financial documents. The same page says users should limit browser access to trusted sites, watch for suspicious behavior that could indicate prompt injection, and be especially cautious with computer use because Claude can click, type and navigate a screen without the permission checks that gate other Cowork tools. (support.claude.com) The company also says users should not use Claude in Chrome to manage or take actions involving sensitive information. Anthropic notes that its safeguards reduce risk but says “the chances of an attack are still non-zero” and tells users to exercise caution when using Cowork. ### What permissions and safeguards does Anthropic say are in place? Anthropic says Cowork requires explicit permission before permanently deleting files. (support.claude.com) The help page says users will see a prompt and must choose “Allow” before Claude can carry out deletion tasks. Anthropic’s computer-use page says Claude asks for permission before accessing each application. The company also says some apps are off-limits by default, and says Claude is trained to avoid risky actions such as transferring funds, modifying or deleting files, or handling sensitive data, while flagging signs of prompt injection. (support.claude.com) Anthropic adds that those safeguards “aren’t perfect.” ### Does Claude Cowork process anything locally? Anthropic’s enterprise architecture page says the Cowork “agent loop runs natively on the device.” The company says that local component includes conversation handling, file reads and writes in connected folders, web fetches and local plugin MCP servers. The same page says shell commands and code execution run inside a dedicated Linux virtual machine isolated from the host operating system by Apple Virtualization.framework on macOS or Hyper-V on Windows. (support.claude.com) Anthropic says the VM has its own network egress filtering, syscall restrictions and per-session user isolation. ### What does Anthropic tell companies using Cowork? (support.claude.com) Anthropic says Team and Enterprise owners can disable Cowork organization-wide, but “granular controls by user or role are not currently available.” The enterprise guidance says owners can stream Cowork events to SIEM and observability tools through OpenTelemetry, while a separate architecture page says two MDM keys can restrict local MCP servers and desktop extensions on managed devices. (support.claude.com) Anthropic also says Cowork activity is not currently captured in the Compliance API, audit logs or data exports. That limitation appears in the consumer safety page, the getting-started page and the enterprise architecture documentation. ### Where is the feature now? Anthropic says Claude Cowork is available as a research preview on paid Pro, Max, Team and Enterprise plans in Claude Desktop for macOS and Windows. (support.claude.com) Anthropic’s help pages updated on May 15 point users to the safety guidance, the computer-use documentation and the Team and Enterprise controls as the current reference points for deployment and permissions. (support.claude.com)