How to Use Claude Cowork Safely

Claude Cowork runs tasks inside a virtual machine on your computer, but the changes it makes to your local files are real. Claude can read from folders you grant access to, write outputs back to those folders, and delete files only after you approve a permission prompt. That combination of real file access and agentic execution introduces specific risks that differ from a standard chat interface.

The biggest vector for trouble is indirect prompt injection. Web content, documents, and emails can carry hidden instructions that steer Claude's behavior in ways you did not intend. The Claude in Chrome extension makes this risk more concrete because Cowork can interact with live web pages. Anthropic flags this explicitly in their safety article and recommends limiting browser access to trusted sites.

Scheduled tasks add another layer. When a task runs automatically on a cadence, you are not watching it in real time. Errors or injections can compound across runs before anyone notices. Third-party MCPs and plugins expand what Claude can do, but each one introduces a new path for untrusted content to reach the model.

Anthropic is clear about one more thing: Cowork activity does not appear in audit logs, the Compliance API, or data exports. For teams with compliance requirements, that gap means Cowork is not suitable for regulated workloads during the research preview.

Helpful references: Fast.io Workspaces, Fast.io Collaboration, and Fast.io AI.

Anthropic has layered multiple protections into Cowork, though they are upfront that none of them reduce risk to zero.

Model training uses reinforcement learning to teach Claude to recognize and refuse malicious instructions, even when those instructions look authoritative or urgent. Content classifiers scan all untrusted material entering Claude's context and flag potential injections before they can influence behavior. Deletion protection requires explicit user approval: you will see a permission prompt and must click "Allow" before Claude permanently deletes any file.

Network access is restricted by default. Cowork respects your organization's existing egress permissions, so it only reaches sites already allowed by your network policy. An important exception is the web search tool, which can access the broader web regardless of your egress settings. Team and Enterprise owners can turn off web search separately in Organization settings.

These measures buy time and reduce surface area, but Anthropic's own documentation warns that the chances of an attack are still non-zero. The protections are designed to catch common patterns, not to guarantee safety under every condition.

Need a Logged Workspace for Agent Workflows?

Fast.io provides auditable workspaces with file versioning, audit events, and ownership transfer. Free agent tier includes 50GB storage, no credit card required. Built for claude cowork safety workflows.

Sign Up Free

Anthropic's safety article lists seven concrete practices. Each one addresses a different exposure surface.

Be selective about file access. You control which local folders Claude can read and write. Create a dedicated working directory for Claude rather than granting broad access to your home folder or directories containing financial records, credentials, or personal data. Back up important files before running tasks that touch them.

Monitor tasks, not individual commands. You cannot realistically validate every shell command Claude runs, so watch for patterns instead. Is Claude accessing files or websites you did not mention? Is the task scope creeping beyond what you asked for? If something feels off, stop the task immediately using the stop button.

Be cautious with scheduled tasks. Start with low-risk work like generating summaries or compiling information. Avoid scheduling tasks that access sensitive files, send messages on your behalf, make purchases, or take actions that are hard to undo. Review outputs after each run from the "Scheduled" page in the sidebar. Pause or delete tasks you are not actively using.

Limit browser and web access to trusted sources. Web content is a main vector for prompt injection. Only extend Claude's browser access to sites you trust. Remember that network egress permissions do not apply to the web search tool.

Be cautious with unfamiliar MCPs and plugins. Each MCP or plugin you install expands Claude's capabilities and introduces new attack paths. Plugins bundle skills, connectors, and sub-agents into a single package, so one install can expand scope. Stick to verified extensions from the Claude Desktop directory.

Mind cross-app data sharing. When using the Claude for Excel and Claude for PowerPoint add-ins with Cowork, Claude can read, edit, and pass context between these applications without you explicitly directing that transfer. Avoid working with sensitive data in these add-ins while Cowork is active.

Report suspicious behavior immediately. If Claude starts discussing unrelated topics, attempts to access unexpected resources, or requests sensitive information unprompted, stop the task and report it to Anthropic via the in-app feedback button or their safety email.

Anthropic offers admin controls for Team and Enterprise plans, but the current set is narrower than what many organizations expect from enterprise software.

Organization owners can disable Cowork entirely via a toggle in Organization settings under Capabilities. This is an all-or-nothing switch: either every member has access or no one does. Granular controls by user or role are not available during the research preview. If you need selective access, Anthropic asks you to contact their sales team.

Plugins are controlled by the same admin toggle with no separate setting. Owners can create a plugin marketplace to distribute curated plugins with per-plugin preferences: auto-install for everyone, available for self-service, or hidden from the catalog.

Cowork stores conversation history locally on users' machines. This data is not subject to Anthropic's standard data retention policies and cannot be centrally managed or exported by admins. Cowork activity is also not captured in Audit Logs, the Compliance API, or Data Exports. If audit trails are a compliance requirement, Cowork should not be enabled for those workloads.

Network access deserves a look before you enable Cowork. The feature respects your organization's existing egress permissions under Code execution settings, but the web search tool bypasses those restrictions. If your security policy requires strict outbound control, disable web search for Cowork separately in the Capabilities panel. Company branding now shows in Cowork for Team and Enterprise plans, which helps users confirm they are working inside the right organization context.

OpenTelemetry support gives owners visibility into usage, costs, and tool activity, but Anthropic notes it does not replace audit logging for compliance purposes. For teams that need a logged, auditable workspace around their agent workflows, pairing Cowork with a platform like Fast.io gives you workspace-level audit events, file versioning, and ownership transfer that Cowork does not provide on its own.

Cowork is a research preview with constraints that affect how you plan around it.

Claude does not retain memory across Cowork sessions. Each session starts fresh, which limits continuity for long-running projects. Sessions cannot be shared with other people, so collaboration happens by sharing outputs after the fact rather than working together in real time.

Cowork is desktop-only. It requires the Claude Desktop app for macOS or Windows (x64 only) and does not work on web or mobile. The app must remain open during a session, closing it ends the work. Cowork also consumes more of your usage allocation than standard chat because multi-step tasks require more tokens to execute.

You remain responsible for all actions Claude takes on your behalf. This includes published content, financial transactions, data access, and scheduled task outcomes. That responsibility is explicit in Anthropic's documentation, not a fine-print detail.

Usage limits deserve attention too. Cowork tasks consume more of your allocation than standard chat because multi-step work is token-intensive. Anthropic recommends batching related work into single sessions and using regular chat for simpler tasks that do not need file access. You can monitor your usage in Settings under the Usage tab on claude.ai.

For teams starting out, Anthropic's guidance is straightforward: begin with low-risk tasks like folder organization or summary generation, review outputs carefully, and do not enable Cowork for regulated workloads until compliance capabilities catch up.