Claude Cowork is genuinely impressive. It organizes hundreds of files in minutes, synthesizes research documents, builds expense reports from receipt photos, and runs complex multi-step tasks while you do other things. The productivity gains are real, well-documented, and increasingly hard to ignore.
But Cowork is also meaningfully different from every AI tool most people have used before. It doesn’t just answer questions — it takes actions. It reads, writes, and can permanently delete files on your computer. It executes code. It can browse the web on your behalf. And because it operates at that level of depth, the safety conversation matters in a way it simply hasn’t for regular AI chat.
This post covers everything you need to know to use Cowork productively and safely: what prompt injection actually is and why it’s a real concern, how file deletion protection and permission prompts work in practice, how to write instructions that get consistent results, and the honest limitations of what Cowork currently can and can’t do.
Understanding Prompt Injection: The Risk You Actually Need to Know About
Most safety risks in regular AI chat are relatively contained. If Claude misunderstands your request in a conversation, you get a bad response. You read it, notice the problem, and try again. No lasting harm done.
Cowork operates differently. When Claude is executing a multi-step task with file access and potentially internet access, a misunderstanding — or a deliberate manipulation — can result in real actions being taken on your computer before you’ve had a chance to review them. That’s what makes prompt injection the most important safety topic for any Cowork user to understand.
What Prompt Injection Actually Is
Prompt injection is an attack technique where malicious instructions are hidden inside content that Claude reads — a document, a webpage, an email, a file — designed to override what you actually asked Claude to do and replace it with what the attacker wants.
The word “hidden” is key here. Researchers have demonstrated attacks where malicious instructions were written in white text on a white background, or in 1-point font with line spacing set to 0.1 — completely invisible to a human reader scanning the document, but perfectly readable by Claude’s language model. You upload what looks like a standard PDF or Markdown file, Claude reads it as part of your task, and if a hidden injection is present, it can manipulate what Claude does next.
In January 2026, just days after Cowork’s launch, security firm PromptArmor publicly demonstrated a real attack chain. A user connects Cowork to a folder containing confidential files. They upload a document that appears normal — perhaps a skills file or an integration guide found online — but contains hidden instructions. Those instructions direct Claude to upload the user’s sensitive files to an attacker-controlled Anthropic account using a curl command. The VM sandbox that Cowork runs in restricts most outbound network traffic, but it trusts the Anthropic API (which Claude needs to function) — and that trusted channel became the exfiltration route.
This is not theoretical. The attack was demonstrated on real Cowork sessions. And Anthropic’s response was to acknowledge that agent safety remains an active area of development across the entire industry, while committing to ship VM updates and ongoing security improvements.
What Anthropic Has Built to Defend Against It
Anthropic has implemented multiple layers of protection against prompt injection in Cowork:
Model training uses reinforcement learning to teach Claude to recognize and refuse malicious instructions, even when they appear authoritative, urgent, or official-looking. Claude is trained to be skeptical of instructions that appear in content rather than coming directly from the user.
Content classifiers scan untrusted content entering Claude’s context window and flag potential injections before they can influence Claude’s behavior. This scanning happens automatically on everything Claude reads.
Summarization layers are applied to web content fetched through browser extensions. Rather than passing raw web page content directly into Claude’s context — which could include injections — the content is summarized first, reducing the attack surface.
VM sandboxing isolates code execution with filesystem and network controls. The sandbox allows safe operations automatically, blocks most external connections, and requires explicit approval for anything outside defined boundaries.
Anthropic is transparent that these measures reduce risk significantly but do not eliminate it entirely. As they state in their official safety documentation: the chances of a successful attack are non-zero.
What This Means for You in Practice
The practical implication isn’t “don’t use Cowork.” It’s “be thoughtful about what you point it at.”
Never give Cowork access to folders containing credentials, passwords, API keys, or SSH keys. If a prompt injection occurred and those files were in scope, the consequences could be severe. Keep those files in entirely separate locations that Cowork never touches.
Be very careful about files from unknown sources. The attack vector in the PromptArmor demonstration was a document uploaded by the user — a file that appeared legitimate but contained hidden instructions. Before pointing Cowork at a document you downloaded from an online forum, an unfamiliar email attachment, or a third-party skills file, consider whether you trust its source. Files from colleagues you know, from your own notes, or from your company’s internal systems carry far less risk than files pulled from arbitrary internet sources.
Watch for unexpected behavior. Anthropic’s safety guidance puts it directly: if Claude suddenly starts discussing topics you didn’t ask about, tries to access files or websites outside the scope of your task, or requests sensitive information unprompted — stop the task immediately. These are the behavioral signatures of a potential injection in progress. Use the in-app feedback button or report to Anthropic’s security team at security@anthropic.com. Those reports genuinely help improve the defenses.
Limit the Claude in Chrome extension to trusted sites. If you’ve installed the browser extension that lets Cowork interact with websites, web content is one of the primary vectors through which injections can enter Claude’s context. Restrict it to sites you’d trust with sensitive work, not general browsing.
File Deletion Protection and Permission Prompts
One of the most anxiety-inducing things about an AI agent with file access is the question of permanence. What if it deletes something important? What if it overwrites a file you needed?
Cowork’s answer to this is an explicit deletion protection system that requires your active permission before any permanent deletion takes place.
How Deletion Protection Works
When Cowork determines that a task requires permanently deleting one or more files, it pauses and surfaces a permission prompt. You’ll see a clear dialog asking you to confirm or deny the deletion before it proceeds. You must click “Allow” explicitly — Claude will not delete files silently as a side effect of an otherwise ordinary task.
This protection covers permanent deletion. It does not automatically protect you from file overwrites, however. If you ask Claude to “update this document” or “rewrite this report,” Claude may overwrite the existing file rather than creating a new one — unless you’ve specified otherwise. This is why including explicit instructions about file handling in your global or folder instructions is so important.
Building Your Own Safety Net with Instructions
The most reliable protection against unwanted file changes is clear, explicit instructions that define Claude’s boundaries before any task begins.
A few specific instructions worth adding to your global settings:
“Never delete any files. If a task would require deletion, ask me first and describe specifically what would be deleted and why.”
“Never overwrite existing files. Always save new versions or outputs with a new filename, using today’s date as a prefix.”
“Before taking any action that cannot be easily reversed, pause and describe what you’re about to do and ask for confirmation.”
“If you are unsure whether an action is within the scope of what I asked, stop and ask rather than proceeding.”
These instructions work as standing constraints that apply across every Cowork session — Claude reads them before starting any task and applies them throughout. They don’t guarantee perfect protection against every edge case, but they significantly reduce the chances of an accidental, irreversible file change.
Always Maintain Backups
Anthropic’s official guidance says it plainly: keep backups of any important files before giving Cowork access to them. Whether through Time Machine, a cloud sync service, or simply copying files to a separate folder before a session, a current backup means that even a worst-case scenario — a task that goes wrong, an accidental overwrite — is recoverable.
Think of this the same way you’d think about it before making manual edits to important documents. You wouldn’t edit your only copy of a critical contract without saving a backup first. The same logic applies here.
How to Write Clear, Unambiguous Instructions for Consistent Results
The most common source of unexpected Cowork behavior isn’t security issues — it’s vague instructions. Claude is capable, but it interprets ambiguous requests by making judgment calls. Those judgment calls may not match what you had in mind. The solution is instructions that remove the ambiguity before it becomes a problem.
The Anatomy of a Clear Instruction
Every effective Cowork instruction contains three elements: the action, the scope, and the output definition.
Vague: “Organize my project files.” Clear: “Organize the files in this folder into subfolders by category — Documents, Spreadsheets, Images, and Other. Rename any file that doesn’t have a descriptive name using this format: YYYY-MM-DD_description. Don’t delete anything. Don’t move files I’ve already organized into subfolders.”
The vague version leaves Claude to decide what “organize” means, which categories make sense, how to handle edge cases, and what to do with existing structure. The clear version defines all of that upfront and eliminates guesswork.
Vague: “Write a report on this research.” Clear: “Using the documents in this folder, write a structured report with the following sections: Executive Summary (3–5 bullet points), Key Findings, Open Questions, and Recommended Next Steps. Save it as a new .docx file named 2026-02-23_Research_Report. Do not overwrite any existing files.”
Specificity about structure, format, filename, and handling of existing files removes every significant ambiguity from that instruction.
Use Positive and Negative Constraints Together
Positive instructions tell Claude what to do. Negative constraints tell it what not to do. Both matter equally.
A common mistake is writing only positive instructions and assuming Claude won’t do anything outside that scope. In practice, Claude will interpret ambiguous situations by applying judgment about what seems consistent with the task — and that judgment sometimes extends further than you intended. Negative constraints create explicit walls around that judgment.
“Analyze the sales data in this spreadsheet and summarize the key trends” is a positive instruction. Adding “Do not modify the spreadsheet. Do not create any new files except the summary document I’ve described. Do not access any other files in this folder” defines the scope precisely and prevents scope creep.
Define What “Done” Looks Like
One of the highest-leverage improvements you can make to any Cowork instruction is to describe the finished output specifically. Claude works toward a definition of done — the more precise that definition, the more reliably it matches your expectations.
Include: file format, filename, structure, length, tone, and any specific content requirements. For multi-step tasks, describe the deliverables at each stage. For recurring tasks, consider saving your instructions as a template so you get consistent results every time.
What Cowork Can and Can’t Do: The Honest Limitations
Cowork is genuinely powerful, and the productivity gains for the right tasks are real. But it also has meaningful limitations that are important to understand before you build workflows around it, especially in a research preview stage.
No Memory Between Sessions
This is the limitation that surprises new users most. Each time you open Cowork and start a new task, Claude begins with no memory of previous sessions. It doesn’t remember what you worked on yesterday, what your preferences are, or what tasks you’ve completed before — unless that information is written down somewhere it can read.
This is why global instructions and folder instructions matter so much. They’re not just convenient shortcuts; they’re the primary mechanism for carrying context from one session to the next. Everything you want Claude to “remember” needs to be written in those instructions, in a context document it can read, or in the task prompt itself.
For ongoing projects, a practical workaround is maintaining a project brief in your work folder — a simple document that describes the project’s goals, current status, key decisions made, and any standing rules. At the start of each session, tell Claude to read the brief first. This gives it the continuity it otherwise lacks.
Desktop App Must Stay Open
Cowork runs locally on your computer, which means the Claude Desktop app must remain open throughout the entire task. If you close the app, the session ends — there’s no background processing, no resuming where you left off, and no notification when a long task completes.
For short tasks of a few minutes, this isn’t an issue. For longer, complex tasks — synthesizing dozens of documents, processing hundreds of files — you need to plan for the app to remain open and your computer to stay awake for the full duration. Laptop users should keep their machines plugged in and screen sleep disabled for extended sessions.
Desktop Only — No Web or Mobile Access
Cowork is only available through the Claude Desktop app on macOS and Windows (x64). It is not available on the web version of Claude at claude.ai, on the mobile app, or on Windows ARM devices. If you switch between devices, your Cowork workspace and history don’t follow you — they stay on the machine where the desktop app is installed.
No Regulated or Compliance-Sensitive Workloads
Cowork stores conversation history locally on your computer rather than in Anthropic’s cloud systems, which means it falls outside Anthropic’s standard data retention and compliance infrastructure. Specifically, Cowork activity is not captured in Audit Logs, the Compliance API, or Data Exports. Anthropic explicitly advises against using Cowork for regulated workloads.
If your work involves healthcare data subject to HIPAA, financial data subject to regulatory oversight, legal documents with client confidentiality requirements, or any other compliance-sensitive information, Cowork in its current research preview form is not appropriate for those tasks. Wait for enterprise-specific features designed to address these requirements.
Usage Limits Apply
Cowork tasks consume significantly more of your usage allocation than regular Claude chat, because complex multi-step tasks are computationally intensive and process far more tokens. Pro plan users will encounter usage limits more quickly when using Cowork heavily. If limits are a recurring constraint, consider batching related tasks into single sessions, using standard chat for tasks that don’t genuinely require file access, and monitoring your usage in Settings > Usage.
It’s a Research Preview — Rough Edges Exist
Anthropic launched Cowork explicitly as a research preview, which means it’s a capable but unfinished product. Known current limitations include the lack of cross-session memory, inconsistent handling of complex spreadsheet operations, variable reliability on advanced web automation tasks, and the security issues described earlier. Anthropic is actively working on all of these areas, and updates have already shipped since the January 2026 launch — but expect the product to continue evolving significantly over the coming months.
A Quick-Start Safety Checklist
Before you start using Cowork regularly, run through this checklist once:
Folder setup: Create a dedicated Cowork workspace folder. Never give Claude access to folders containing passwords, credentials, API keys, or sensitive personal data. Back up any important files before the first session.
Global instructions: Set explicit file handling rules (no deletions, save as new files with date prefix). Include a constraint to ask before taking any irreversible action.
Sources: Only process files from trusted sources. Treat files from unknown online sources, unfamiliar email attachments, or third-party plugin files with appropriate skepticism.
Browser extension: If using Claude in Chrome with Cowork, restrict it to trusted sites. Don’t use it for anything involving sensitive logins or financial information.
MCP extensions: Only install MCPs from verified sources in the Claude Desktop directory. Each extension expands the attack surface; only add ones you’ve evaluated and trust.
Monitoring: Stay present enough to notice unexpected behavior. If something feels off — scope creep, unexpected file access, requests for information you didn’t provide — stop the task immediately and report it.
Backups: Maintain current backups of everything in your Cowork folder. This is the single most reliable protection against data loss.
The bottom line on Cowork safety is honest: it’s a genuinely powerful tool operating in a space where agentic AI security is still an active area of development across the entire industry. The risks are real, they’ve been demonstrated in the wild, and Anthropic hasn’t fully solved them yet. But with the right setup — a dedicated workspace, clear instructions, appropriate file boundaries, and a basic understanding of what to watch for — most users can get significant value from Cowork while keeping their risk exposure minimal.
Use it thoughtfully, not fearfully. The goal isn’t to avoid Cowork; it’s to use it in a way where you’d be comfortable with every action it takes on your behalf.
Want to stay ahead of the curve on AI tools, security practices, and practical guides for modern knowledge work? Head over to tooltechsavvy.com — there’s a growing library of in-depth, honest content on AI and the technology reshaping how we work, and something new worth reading every week.
