Cowork: Claude Code for the rest of your work

Worth calling out that execution runs in a full virtual machine with only user-selected folders mounted in. CC itself runs, if the user set network rules, with https://github.com/anthropic-experimental/sandbox-runtime.

There is much more to do - and our docs reflect how early this is - but we're investing in making progress towards something that's "safe".

> (I don't think it's fair to ask non-technical users to look out for "suspicious actions that may indicate prompt injection" personally!)

It's the "don't click on suspicious links" of the LLM world and will be just as effective. It's the system they built that should prevent those being harmful, in both cases.

That's why I run it inside a sandbox - https://github.com/ashishb/amazing-sandbox

What would you consider a tight sandboxed without exfiltration vectors? Agents are used to run arbitrary compute. Even a simple write to disk can be part of an exfiltration method. Instructions, bash scripts, programs written by agents can be evaluated outside the sandbox and cause harm. Is this a concern? Or, alternatively, your concern is what type of information can leak outside of that particular tight sandbox? In this case I think you would have to disallow any internet communication besides the LLM provider itself, including the underlying host of the sandbox.

You brought this up a couple of times now, would appreciate clarification.

Is there any reasonably fast and portable sandboxing approach that does not require a full blown VM or containers? For coding agents containers are probably the right way to go, but for something like Cowork that is targeted at non-technical users who want or have to stay local, what's the right way?

container2wasm seems interesting, but it runs a full blown x86 or ARM emulator in WASM which boots an image derived from a docker container [0].

[0] https://github.com/container2wasm/container2wasm

I built https://github.com/nezhar/claude-container for exactly this reason - it's easy to make mistakes with these agents even for technical users, especially in yolo mode.

I do get a "Setting up Claude's workspace" when opening it for the first time - it appears that this does do some kind of sandboxing (shared directories are mounted in).

Prompt injection will never be "solved". It will always be a threat.

> (I don't think it's fair to ask non-technical users to look out for "suspicious actions that may indicate prompt injection" personally!)

Yes, but at least now its only restricted to Claude Max subscribers, who are likely to be at least semi-technical (or at least use AI a lot)?

> tells users "Avoid granting access to local files with sensitive information, like financial documents"

Good job that video of it organising your Desktop doesn't show folders containing 'Documents', 'Photos', and 'Projects'!

Oh wait.

My entire job is working with financial documents so this doesn't really do much for me

I haven't dug too deep, but it appears to be using a bubblewrap sandbox inside a vm on the Mac using Apple's Virtualization.framework from what I can tell. It then uses unix sockets to proxy network via socat.

ETA: used Claude Code to reverse engineer it:

   Insight ─────────────────────────────────────

  Claude.app VM Architecture:
  1. Uses Apple's Virtualization.framework (only on ARM64/Apple Silicon, macOS 13+)
  2. Communication is via VirtioSocket (not stdio pipes directly to host)
  3. The VM runs a full Linux system with EFI/GRUB boot

  ─────────────────────────────────────────────────

        ┌─────────────────────────────────────────────────────────────────────────────────┐
        │  macOS Host                                                                     │
        │                                                                                 │
        │  Claude Desktop App (Electron + Swift native bindings)                          │
        │      │                                                                          │
        │      ├─ @anthropic-ai/claude-swift (swift_addon.node)                           │
        │      │   └─ Links: Virtualization.framework (ARM64 only, macOS 13+)            │
        │      │                                                                          │
        │      ↓ Creates/Starts VM via VZVirtualMachine                                   │
        │                                                                                 │
        │  ┌──────────────────────────────────────────────────────────────────────────┐  │
        │  │  Linux VM (claudevm.bundle)                                              │  │
        │  │                                                                          │  │
        │  │  ┌────────────────────────────────────────────────────────────────────┐  │  │
        │  │  │  Bubblewrap Sandbox (bwrap)                                        │  │  │
        │  │  │  - Network namespace isolation (--unshare-net)                     │  │  │
        │  │  │  - PID namespace isolation (--unshare-pid)                         │  │  │
        │  │  │  - Seccomp filtering (unix-block.bpf)                              │  │  │
        │  │  │                                                                    │  │  │
        │  │  │  ┌──────────────────────────────────────────────────────────────┐  │  │  │
        │  │  │  │  /usr/local/bin/claude                                       │  │  │  │
        │  │  │  │  (Claude Code SDK - 213MB ARM64 ELF binary)                  │  │  │  │
        │  │  │  │                                                              │  │  │  │
        │  │  │  │  --input-format stream-json                                  │  │  │  │
        │  │  │  │  --output-format stream-json                                 │  │  │  │
        │  │  │  │  --model claude-opus-4-5-20251101                            │  │  │  │
        │  │  │  └──────────────────────────────────────────────────────────────┘  │  │  │
        │  │  │       ↑↓ stdio (JSON-RPC)                                          │  │  │
        │  │  │                                                                    │  │  │
        │  │  │  socat proxies:                                                    │  │  │
        │  │  │  - TCP:3128 → /tmp/claude-http-*.sock (HTTP proxy)                │  │  │
        │  │  │  - TCP:1080 → /tmp/claude-socks-*.sock (SOCKS proxy)              │  │  │
        │  │  └────────────────────────────────────────────────────────────────────┘  │  │
        │  │                                                                          │  │
        │  └──────────────────────────────────────────────────────────────────────────┘  │
        │           ↕ VirtioSocket (RPC)                                                 │
        │      ClaudeVMDaemonRPCClient.swift                                             │
        │           ↕                                                                    │
        │      Node.js IPC layer                                                         │
        └─────────────────────────────────────────────────────────────────────────────────┘

ComponentDetailsKernelLinux 6.8.0-90-generic aarch64 (Ubuntu PREEMPT_DYNAMIC)OSUbuntu 22.04.5 LTS (Jammy Jellyfish)HostnameclaudeCPU4 cores, Apple Silicon (virtualized), 48 BogoMIPSRAM3.8 GB total (~620MB used at idle)SwapNone

Storage Layout

DeviceSizeTypeMount PointPurpose/dev/nvme0n1p19.6 GBext4/Root filesystem (rootfs.img)/dev/nvme0n1p1598 MBvfat/boot/efiEFI boot partition/dev/nvme1n19.8 GBext4/sessionsSession data (sessiondata.img)virtiofs-virtiofs/mnt/.virtiofs-root/shared/...Host filesystem access

Filesystem Mounts (User Perspective)

        /sessions/gallant-vigilant-lamport/
        ├── mnt/
        │   ├── claude-cowork/     → Your selected folder (virtiofs + bindfs)
        │   ├── .claude/           → ~/.claude config (bindfs, rw)
        │   ├── .skills/           → Skills/plugins (bindfs, ro)
        │   └── uploads/           → Uploaded files (bindfs)
        └── tmp/                   → Session temp files
        
        Session User
        A dedicated user is created per session with a Docker-style random name:
        User: gallant-vigilant-lamport
        UID:  1001
        Home: /sessions/gallant-vigilant-lamport
        Process Tree
        PID 1: bwrap (bubblewrap sandbox)
        └── bash (shell wrapper)
            ├── socat TCP:3128 → unix socket (HTTP proxy)
            ├── socat TCP:1080 → unix socket (SOCKS proxy)
            └── /usr/local/bin/claude (Claude Code SDK)
                └── bash (tool execution shells)

        Security Layers

        Apple Virtualization.framework - Hardware-level VM isolation
        Bubblewrap (bwrap) - Linux container/sandbox

        --unshare-net - No direct network access
        --unshare-pid - Isolated PID namespace
        --ro-bind / / - Read-only root (with selective rw binds)


        Seccomp - System call filtering (unix-block.bpf)
        Network Isolation - All traffic via proxied unix sockets

        Network Architecture
        ┌─────────────────────────────────────────────────────────────┐
        │  Inside Sandbox                                             │
        │                                                             │
        │  claude process                                             │
        │      │                                                      │
        │      ↓ HTTP/HTTPS requests                                  │
        │  localhost:3128 (HTTP proxy via env vars)                   │
        │      │                                                      │
        │      ↓                                                      │
        │  socat → /tmp/claude-http-*.sock ─────────┐                │
        │                                            │                │
        │  localhost:1080 (SOCKS proxy)              │                │
        │      │                                     │                │
        │      ↓                                     │                │
        │  socat → /tmp/claude-socks-*.sock ────────┤                │
        └───────────────────────────────────────────┼────────────────┘
                                                    │
                                VirtioSocket ←──────┘
                                                    │
        ┌───────────────────────────────────────────┼────────────────┐
        │  Host (macOS)                             │                │
        │                                           ↓                │
        │                              Claude Desktop App            │
        │                                           │                │
        │                                           ↓                │
        │                                    Internet                │
        └─────────────────────────────────────────────────────────────┘
        Key insight: The VM has only a loopback interface (lo). No eth0, no bridge. All external network access is tunneled through unix sockets that cross the VM boundary via VirtioSocket.


  Communication Flow

  From the logs and symbols:

  1. VM Start: Swift calls VZVirtualMachine.start() with EFI boot
  2. Guest Ready: VM guest connects (takes ~6 seconds)
  3. SDK Install: Copies /usr/local/bin/claude into VM
  4. Process Spawn: RPC call to spawn /usr/local/bin/claude with args

  The spawn command shows the actual invocation:
  /usr/local/bin/claude --output-format stream-json --verbose \
    --input-format stream-json --model claude-opus-4-5-20251101 \
    --permission-prompt-tool stdio --mcp-config {...}

There's no AI that's secure and capable of doing anything an idiot would do on the internet with whatever data you give it.

This is a perfect encapsulation of the same problem: https://www.reddit.com/r/BrandNewSentence/comments/jx7w1z/th...

Substitute AI with Bear

How does prompt injection happen? Or is it more a new link in a chain of existing failures?

If you're on Linux, you can run AI agents in Firejail to limit access to certain folders/files.

Terrible advice to users: be on the lookout for suspicious actions. Humans are terrible at this.

That's one thing. Another would be introducing homomorphic encryption in order for companies and people using their models to stay compliant and private. I can't believe it's such an under-researched area in AI.

Frequency vs. convenience will determine how big of a deal this is in practice.

Cars have plenty of horror stories associated with them, but convenience keeps most people happily driving everyday without a second thought.

Google can quarantine your life with an account ban, but plenty of people still use gmail for everything despite the stories.

So even if Claude cowork can go off the rails and turn your digital life upside down, as long as the stories are just online or "friend of a friend of a friend", people won't care much.

The first version is for macOS, which has snapshots [1] and file versioning [2] built-in.

[1]: https://eclecticlight.co/2024/04/08/apfs-snapshots/

[2]: https://eclecticlight.co/2021/09/04/explainer-the-macos-vers...

Once upon a time, in the magical days of Windows 7, we had the Volume Shadow Copy Service (aka "Previous Versions") available by default, and it was so nice. I'm not using Windows anymore, and at least part of the reason is that it's just objectively less feature complete than it used to be 15 years ago.

Q: What would prevent them from using git style version control under the hood? User doesn’t have to understand git, Claude can use it for its own purposes.

Indeed there are and this is no rocket science. Like Word Documents offer a change history, deleted files go to the trash first, there are undo functions, TimeMachine on MacOs, similar features on Windows, even sandbox features.

If this is like Claude Code for everyone else, shouldn’t it be snapshotting anything it changes so that you can go back to the previous state?

In theory the risk is immense and incalculable, but in practice I've never found any real danger. I've run wide open powershell with an OAI agent and just walked away for a few hours. It's a bit of a rush at first but then you realize it's never going to do anything crazy.

The base model itself is biased away from actions that would lead to large scale destruction. Compound over time and you probably never get anywhere too scary.

Yeah, seems like this could be achieved by using https://github.com/streamich/memfs/blob/master/docs/snapshot...

Weird they don't use it - might backfire hard

IIUC, this is a preview for Claude Max subscribers - I'm not sure we'll find many teachers or students there (unless institutions are offering Max-level enterprise/team subscriptions to such groups). I speculate that most of those who will bother to try this out will be software engineering people. And perhaps they will strengthen this after enough feedback and use cases?

Pretty much every company I work with uses the desktop sync tools for OneDrive/GoogleDrive/Dropbox etc.

It would be madness to work completely offline these days, and all of these systems have version history and document recovery built in.

There's no reason why Claude can't use git to manage the folders that it controls.

I would never use what is proposed by OP. But, in any case, Linux on ZFS that is automatically snapshotted every minute might be (part of) a solution to this dilemma.

TimeMachine has never been so important.

I hope we see further exploration into immutable/versioned filesystems and databases where we can really let these things go nuts, commit the parts we want to keep, and revert the rest for the next iteration.

A human can also accidentally delete or mess up some files. The question is whether Claude Cowork is more prone to it.

You make a good point. I imagine that they will eventually add Perforce-style versioning to the product and this issue will be solved.

So the future is NixOS for non-technical people?

Somewhat related is a concern I have in general as things get more "agentic" and related to the prompt injection concerns; without something like legally bullet-proof contracts, aren't we moving into territory of basically "employing" what could basically be "spies" at all levels from personal (i.e., AI company staff having access to your personal data/prompts/chats) to business/corporate espionage, to domestic and international state level actors who would also love to know what you are working on and what you are thinking/chatting about and maybe what your mental health challenges are that you are working through with an AI chat therapist.

I am not even certain if this issue can be solved since you are sending your prompts and activities to "someone else's computer", but I suspect if it is overlooked or hand-waved as insignificant, there will be a time when open, local models will become useful enough to allow most to jettison cloud AI providers.

I don't know about everyone else, but I am not at all confident in allowing access and sending my data to some AI company that may just do a rug pull once they have an actual virtual version of your mind in a kind of AI replication.

I'll just leave it at that point and not even go into the ramifications of that, e.g., "cybercrimes" being committed by "you", which is really the AI impersonator built based on everything you have told it and provide access to.

>>I expect to see many stories from parents, non-technical colleagues, and students who irreparably ruined their computer.

I do believe the approach Apple is taking is the right way when it comes to user facing AI.

You need to reduce AI to being an appliance that does one or at most a few things perfectly right without many controls with unexpected consequences.

Real fun is robots. Not sure no one is hurrying up on that end.

>>Edit: most comments are focused on pointing out that version control & file system snapshot exists: that's wonderful, but Claude Cowork does not use it.

Also in my experience this creates all kinds of other issues. Like going back up a tree creates all kinds of confusions and keeps the system inconsistent with regards to whatever else it is you are doing.

You are right in your analysis that many people are going to end up with totally broken systems

There was a couple of posts here on hacker news praising agents because, it seems, they are really good at being a sysadmin. You don't need to be a non-technical user to be utterly fucked by AI.

Not a big problem to make snapshots with lvm or zfs and others. I use it automatically on every update

Your terms for Claude Max point to the consumer ToS. This ToS states it cannot be used for commercial purposes. Why is this? Why are you marketing a product clearly for business use and then have terms that strictly forbid it.

I’ve been trying to reach a human at Anthropic for a week now to clarify this on behalf of our company but can’t get past your AI support.

Hi Felix!

Simple suggestion: logo should be a cow and and orc to match how I originally read the product name.

AI and Claude Code are incredible tools. But use cases like "Organize my desktop" are horrible misapplications that are insecure, inefficient and a privacy nightmare. Its the smart refrigerator of this generation of tech.

I worry that the average consumer is none the wiser but I hope a company that calls itself Anthropic is anthropic. Being transparent about what the tool is doing, what permissions it has, educating on the dangers etc. are the least you can do.

With the example of clearing up your mac desktop: a) macOS already autofolds things into smart stacks b) writing a simple script that emulates an app like Hazel is a far better approach for AI to take

Looks cool, and I'm guilty as charged of using CC for more than just code. However, as a Max subscriber since the moment it was a thing, I find it a bit disheartening to see development resources being poured into a product that isn't available on my platform. Have you considered adding first-class support for Linux? -- Or for that matter sponsoring one of the Linux repacks of Claude Desktop on Github? I would love to use this, but not if I need to jump through a bunch of hoops to get it up and running.

Hi there, your training and inference rely on the openness of Linux. Would you consider giving something back with Claude for Linux?

What probability would you give for Linux support for Claude Desktop in 2026?

Beachball of death on “Starting Claude’s workspace” on the Cowork tab. Force quit and relaunch, and Claude reopens on the Cowork tab, again hanging with the beachball of death on “Starting Claude’s workspace”.

Deleting vm_bundles lets me open Claude Desktop and switch tabs. Then it hangs again, I delete vm_bundles again, and open it again. This time it opens on the Chat tab and I know not to click the Cowork tab...

You released it at just the right time for me. When I saw your announcement, I had two tasks that I was about to start working on: revising and expanding a project proposal in .docx format and adapting some slides (.pptx) from a past presentation for different audience.

I created a folder for Cowork, copied a couple of hundred files into it related to the two tasks, and told Claude to prepare a comprehensive summary in markdown format of that work (and some information about me) for its future reference.

The summary looked good, so I then described the two tasks to Claude and told it to start working.

Its project proposal revision was just about perfect. It took me only about 10 more minutes to polish it further and send it off.

The slides took more time to fix. The text content of some additional slides that Claude created was quite good and I ended up using most of it, but the formatting did not match the previous slides and I had to futz with it a while to make it consistent. Also, one slide it created used a screenshot it took using Chrome from a website I have built; the screenshot didn’t illustrate what it was supposed to very well, so I substituted a couple of different screenshots that I took myself. That job is now out the door, too.

I had not been looking forward to either of those two tasks, so it’s a relief to get them done more quickly than I had expected.

One initial problem: A few minutes into my first session with Claude in Cowork, after I had updated the app, it started throwing API errors and refusing to respond. I used the "Clear Cache and Restart" from the Troubleshooting menu and started over again from the start. Since then there have been no problems.

Why do all similar demos show “prep the deck” use case as if everybody is building power point slides all day long?

Hey, congrats on the launch. Been thinking lot about this space (wrote this back in August: https://martinalderson.com/posts/building-a-tax-agent-with-c...).

Would love to connect, my emails in my bio if you have time!

Hi Felix, this looks like an incredible tool. I've been helping non-tech people at my org make agent flows for things like data analysis—this is exactly what they need.

However, I don't see an option for AWS Bedrock API in the sign up form, is it planned to make this available to those using Bedrock API to access Claude models?

I guess you need to know about this: https://news.ycombinator.com/item?id=46597781

Do you expect more token usage with it or will Anthropic change the limits of user token limit in the future?

Being able to undo any changes that Cowork makes seems important. Any plans for automatic snapshots or an undo log?

Would love to see a Linux native application for this, after all a lot of folks are using it more and more these days.

Was looking forward to try it, but just processing a notion page and prepare an outline for a report breaks it: This is taking longer than usual...(14m 2s)

/e: stopped it and retried. it seems it can't use the connectors? I get No such tool available

Question: I see that the “actions hints” in the demo show messaging people as an option.

Is this a planned usecase, for the user to hand over human communication in, say, slack or similar? What are the current capabilities and limitations for that?

Hey Felix, would love to give you feedback, but the language redirect of the website is trying to route me to de-de, and thus I can't see the page.

You might want to fix this.

Cheers Felix, congrats on the launch!

Hi! Windows support when?

Hullo! Congrats on shipping this, it looks great!

I'm very curious about what you mean by 'cross device sync' in the post?

Congrats! I'll be working this out. It doesn't seem that you can connect to gmail currently through cowork right now. When will the connectors roll out for this? (Gmail works fine in chats currently).

would like to be able to point at aws bedrock models like i can with claude code

Looks good so far - I hope Windows support follows soon!

hello Felix, that page is 404 here at the moment :(

Congrats Felix :)

Please give me access via api key

It's great and reassuring to know that, in this day and age, products still get made entirely by one individual.

> Hi, Felix from the team here, this is my product - let us know what you think. > We're on purpose releasing this very early, we expect to rapidly iterate on > it.

> (We're also battling an unrelated Opus 4.5 inference incident right now, so > you might not see Cowork in your client right away.)

you could have made if much simpler using playwright mcp.

hope u used these. can drastically reduce the 11mb to a couple of hundred kilobytes.

https://github.com/thameera/harcleaner and https://har-sanitizer.pages.dev/

A more easy reproduction: disable JS.

To bypass: `.transition_wrap { display: none }`

On android, these don't work: Firefox Chrome Firefox focus :-(

Thanks anthropic

doesn't work.

You could figure it out yourself under 5 mins. Nothing crazy here.