Last updated: June 2026.

The risks of using Claude Cowork at work come from its agentic design. It runs on the desktop, reads and writes the local files you point it at, and acts through connectors, Model Context Protocol (MCP) servers, and sub-agents, so one delegated task can move sensitive data, run commands, or follow hidden instructions before anyone reviews it. The controllable risks fall into five areas: data exposure, prompt injection, weak approval boundaries, retention, and thin audit evidence. Each is governable with the right controls at the right enforcement point.

What Claude Cowork Is, and Why It Changes the Risk Picture

Claude Cowork is an agentic desktop application for knowledge work. You give it a goal, and it executes multi-step tasks on your machine using the same agentic architecture as Claude Code. Anthropic describes it as an agent rather than a chat assistant, with permission to read, edit, and create files in the folders you specify (Anthropic, 2026).

That single design choice moves the security problem. A chat assistant exchanges text inside a browser tab. An agent on the endpoint touches the file system, drives desktop applications, calls external tools, and coordinates sub-agents that work in parallel. The destination is no longer the whole story. The risk now lives in what the agent does on the device and across the tools it can reach. Aurascape frames this as the difference between watching where traffic goes and understanding the full agentic AI security architecture behind each action.

What Data and Systems Can Claude Cowork Access?

The access question is the one to answer first, because it sets the blast radius. Employees already share more with AI than their employers realize: 43 percent admit putting sensitive workplace information into AI tools without the company knowing, including internal documents, financial data, and client records (National Cybersecurity Alliance, 2025). An agent that can act on local files raises the stakes of that behavior, because it does not just read data, it moves and transforms it.

Claude Cowork can reach the following surfaces:

1. Local files and folders. It can read, edit, and create files in any directory you grant, which can include confidential working folders.
2. Desktop applications and the screen. Through computer use, currently in research preview, it can see the screen and operate applications, which widens the attack surface.
3. Connectors and the browser. It uses connectors to external services, and Claude in Chrome lets it act inside authenticated web sessions.
4. MCP servers, skills, and plugins. It invokes tools through MCP, and administrators can publish private plugin marketplaces that extend what it can do.
5. Sub-agents. It spawns multiple sub-agents that run tool calls in parallel, so a single goal can fan out into many actions.
6. Project memory. It retains task context, which is useful for continuity and is also another place sensitive data can persist.

The reach extends past your own network. Anthropic notes that network egress permissions do not apply to web fetch, web search, or MCP traffic, and that those paths can fetch external content the agent then acts on. The tool ecosystem on the open internet is large and weakly controlled: one 2026 scan found 12,520 internet-accessible MCP services, most of them unauthenticated (Censys, 2026). An agent that can call arbitrary tools is only as safe as the tools it reaches.

Where It Runs, and Which Identity and Permissions It Uses

Claude Cowork runs on the endpoint, under the signed-in user, with that user’s access to files, applications, and connected accounts. This is exactly where network-only and identity-only tools lose visibility. A secure web gateway sees a domain. An identity provider sees a login. Neither sees an agent reading a local folder or driving a desktop app. Most organizations cannot even count their agents: only 21 percent keep a real-time inventory of the autonomous agents running in their environment (Cloud Security Alliance, 2026).

Identity also decides entitlement. The same person can run Claude Cowork under a personal account or a governed enterprise account, and the difference determines which data policies, retention terms, and logging apply. Telling those apart at the point of use is a control requirement, not a detail.

Aurascape closes the visibility gap with discovery that works on two dimensions. First, it finds AI that is already present across the network, endpoint, and API planes, including agents running locally on devices, a gap network-only and identity-only tools miss. Second, its patented discovery agents continuously crawl for newly launched AI tools, read their terms and policy documents, and risk-score them, so a tool is cataloged and governed before the first employee opens it. The result is a complete inventory of AI in use rather than a static list of popular destinations.

Prompt Injection and Over-Delegation: When a Delegated Task Turns

The defining risk of an agent is that it acts on instructions it reads, not only the instructions you give it. OWASP ranks prompt injection as the leading risk to Large Language Model Applications and names excessive agency, an agent doing more than the task required, as a distinct top category (OWASP, 2025). Put those two together and the failure mode is clear: an agent reads poisoned content and then uses its real permissions to act on it.

This is not theoretical. Aurascape’s Aura Labs documented SilentBridge, a class of zero-click indirect prompt injection in a commercial AI agent, where hidden instructions buried in a web page, a document, or a search result were executed by the agent with no user action. In one variant, a routine request to summarize a document carried a concealed instruction that forwarded the user’s email to an attacker. The variants scored as critical, and Aura Labs disclosed them responsibly so they were fixed before exploitation (Aurascape, 2026). The same pattern hit Microsoft 365 Copilot through the zero-click EchoLeak flaw (National Vulnerability Database (NVD), 2025).

Claude Cowork ingests untrusted content by design when it fetches web pages, reads documents, and pulls results through connectors and MCP. That makes indirect injection a live concern, which is why the control has to inspect the full exchange, prompt, response, tool call, and outcome, rather than the prompt alone. Aurascape covers this pattern in its guide to prompt injection and the broader risk of AI data leakage.

Data Movement, Retention, and the Evidence Gap

When an agent moves data, two questions follow: where does the data go, and what record proves what happened. Claude Cowork sends task data through Anthropic’s API, and deleted tasks are removed from backend storage within 30 days (Anthropic, 2026). For regulated work, the retention window and the residency of that data both need to match policy before the agent touches confidential directories.

The harder gap is evidence. Most organizations cannot reconstruct what an agent did, because the controls that would record it were built for web and SaaS traffic. Adoption has outpaced governance: 90 percent of organizations report employees using AI tools, yet only 38 percent have a formal, comprehensive AI policy, and a quarter have none at all (ISACA, 2026). A policy on paper does not produce an audit trail. Enforcement in the interaction path does.

Aurascape maps each Claude Cowork risk to a specific control:

Because the record is structured, teams in security, compliance, and other functions can ask plain-language questions of it through Auri, Aurascape’s natural-language query agent, without learning a console or a query language.

How to Govern Claude Cowork Before and After You Approve It

Governing an agent is not a yes-or-no decision. It is a set of controls applied in the live path, before the agent runs and while it runs. Aurascape secures this through two channels: an AI Proxy that inspects the intelligence channel of prompts and responses, and a Zero-Bypass MCP Gateway that secures the tool-execution channel of tool calls and data retrievals, with cross-call data lineage that tracks information as it passes through chained agent actions (Aurascape, 2026). Policy outcomes are graduated, not binary: allow, coach, warn, block, and redact, chosen by context rather than applied as a blanket ban.

This sits alongside the controls you already run. Aurascape is an additive layer over existing secure service edge, cloud access security broker, and data loss prevention investments, not a rip-and-replace. The payoff is adoption with control. In one Aurascape deployment at a Fortune 100 insurer, the time to adopt new AI tools dropped 60 percent and AI agent integrations tripled, with no unauthorized data access (Aurascape, 2026).

Use this checklist to evaluate Claude Cowork, or any desktop agent, before you approve it:

1. Discovery. Can you see the agent running on the endpoint, not just the domains it reaches?
2. Identity and entitlement. Can you tell a personal account from an enterprise one at the point of use?
3. Full-exchange inspection. Do you see prompts, responses, tool calls, and outcomes, or only the prompt?
4. Data protection. Is sensitive data classified and redacted in real time before it leaves the interaction?
5. Tool-execution control. Can unapproved MCP and tool calls be blocked before they run?
6. Evidence. Is there an audit-ready record of every action, governed for privacy?

Answer those six honestly and the decision stops being a leap of faith. The full approach is laid out in Aurascape’s guidance on how to securely adopt AI agents.

Frequently Asked Questions About Claude Cowork

Is Claude Cowork safe to use at work?

It can be, with governance. Anthropic itself notes that Cowork carries unique risks because it is agentic and has internet access, so the safe path is to control where it runs, what data it touches, and which tools it can call, rather than to allow or ban it outright.

Can Claude Cowork read and change files on my computer?

Yes. It can read, edit, and create files in the folders you grant it, and it asks for explicit permission before permanently deleting a file. The risk is scope: pointing it at a confidential directory gives it that directory’s contents.

Does Claude Cowork retain my data?

Task data passes through Anthropic’s API, and deleted tasks are removed from backend storage within 30 days. For regulated data, confirm that retention window and data residency against your own policy before use.

How is Claude Cowork different from a regular chat assistant for security?

A chat assistant exchanges text. Claude Cowork acts. It runs on the endpoint, touches files, drives applications, and calls tools through sub-agents, which means the security control has to govern actions and tool execution, not just the words in a prompt.

Aurascape turns Claude Cowork from an unmanaged endpoint agent into a governed one. It discovers the agent where it runs, reads identity and entitlement at the point of use, inspects the full exchange across prompts, responses, and tool calls, protects sensitive data in real time, and signs the tool calls it allows so the rest cannot run. The result is faster AI adoption with evidence your auditors will accept. A short demo shows it governing Claude Cowork in the live path against your own policies.

See how Aurascape governs Claude Cowork in the live path →