Sadly they haven't completely solved that yet. Instead their help page at https://support.claude.com/en/articles/13364135-using-cowork... tells users "Avoid granting access to local files with sensitive information, like financial documents" and "Monitor Claude for suspicious actions that may indicate prompt injection".

(I don't think it's fair to ask non-technical users to look out for "suspicious actions that may indicate prompt injection" personally!)

There's no sandboxing snapshot in revision history, rollbacks, or anything.

I expect to see many stories from parents, non-technical colleagues, and students who irreparably ruined their computer.

Edit: most comments are focused on pointing out that version control & file system snapshot exists: that's wonderful, but Claude Cowork does not use it.

For those of us who have built real systems at low levels I think the alarm bells go off seeing a tool like this - particularly one targeted at non-technical users

(We're also battling an unrelated Opus 4.5 inference incident right now, so you might not see Cowork in your client right away.)

Turns out that the data-prevent-flicker attribute is never removed if the Intellimize script fails to load. I use DNS-based adblock and I can confirm that allowlisting api.intellimize.co solves the problem, but it would be great if this could be fixed for good, and I hope this helps.

Right?

RIGHT??????

Are you sure that you need to grant the cloud full access to your desktop + all of its content to sort elements alphabetically?

What do the words "if it's instructed to" mean here? It seems like Claude can in fact delete files whenever it wants regardless of instruction.

For example, in the video demonstration, they ask "Please help me organize my desktop", and Claude decides to delete files.

They can and most likely will release something that vaporises the thin moat you have built around their product.

This feels like the first time in tech where there are more startups/products being subsumed (agar.io style) than being created.

But for writing prose, I don't think chat-to-prose is ideal, i.e. most people would not want the keep prose "at a distance".

I bet most people want to be immersed in an editor where they are seeing how the text is evolving. Something like Zed's inline assistant, which I found myself using quite a lot when working on documents.

I was hoping that Cowork might have some elements of an immersive editor, but it's essentially transplanting the CLI chat experience to an ostensibly "less scary" interface, i.e., keeping the philosophy of artifacts separate from your chat.

What's the play after you have automated yourselves out of a job?

Retrain as a skilled worker? Expect to be the lucky winner who is cahoots with the CEO/CTO and magically gets to keep the job? Expect the society to turn to social democracy and produce UBI? Make enough money to live off investments portfolio?

But it also gets to one of Claude's (Opus 4.5) current weaknesses - image understanding. Claude really isn't able to understand details of images in the same way that people currently can - this is also explained well with an analysis of Claude Plays Pokemon https://www.lesswrong.com/posts/u6Lacc7wx4yYkBQ3r/insights-i.... I think over the next few years we'll probably see all major LLM companies work on resolving these weaknesses & then LLMs using UIs will work significantly better (and eventually get to proper video stream understanding as well - not 'take a screenshot every 500ms' and call that video understanding).

For instance I use claude code to classify my expenses (given a bank statement CSV) for VAT reporting, and fill in the spreadsheet that my accountant sends me. Or for noting down line items for invoices and then generating those invoices at the end of the month. Or even booking a tennis court at a good time given which ones are available (some of the local ones are north/south facing which is a killer in the evening). All these tasks could be done at least as well outside the terminal, but the actual capability exists - and can only exist - on my computer alone.

I hope this will interact well with CLAUDE.md and .claude/skills and so forth. I have those files and skills scattered all over my filesystem, so I only have to write the background information for things once. I especially like having claude create CLIs and skills to use those CLIs. Now I only need to know what can be done, rather than how to do it - the “how” is now “ask Claude”.

It would be nice to see Cowork support them! (Edit: I see that the article mentions you can use your existing 'connectors' - MCP servers I believe - and that it comes with some skills. I haven't got access yet so I can't say if it can also use my existing skills on my filesystem…)

(Follow-up edit: it seems that while you can mount your whole filesystem and so forth in order to use your local skills, it uses a sandboxed shell, so your local commands (for example, tennis-club-cli) aren't available. It seems like the same environment that runs Claude Code on the Web. This limits the use for the moment, in my opinion. Though it certainly makes it a lot safer...)

Something like this is promising but from what I can see, still lacking. So far I've been dealing with the regular issues (models aren't actually that smart, work with their strengths and weaknesses) but also more of the data problem - simple embeddings just aren't enough, imo. And throwing all of the data at the model is just asking for context poisoning, hallucinations and incorrect conclusions.

Been playing with instruction tuned embeddings/sentiment and almost building a sort of "multimodal" system of embedding to use with RAG/db calls. What I call "Data hiding" as well - allowing the model to see the shape of the data but not the data itself, except only when directly relevant.

I just helped a non-technical friend install one of these coding agents, because its the best way to use an AI model today that can do more than give him answers to questions. I'm not surprised to see this announced and I would expect the same to happen with all the code agents becoming generalized like this

The biggest challenge towards adoption is security and data loss. Prompt injection and social engineering are essentially the same thing, so I think prompt injection will have to be solved the same way. Data loss is easier to solve with a sandbox and backups. Regardless, I think for many the value of using general purpose agents will outweigh the security concerns for now, until those catch up

Claude Code is very good at `doc = f(doc, incremental_input)` where doc is a code file. It's no different if doc is a _prompt file_ designed to encapsulate best practices.

Hand it a set of unstructured SOP documents, give it access to an MCP for your email, and have it gradually grow a set of skills that you can then bring together as a knowledge base auto-responder instruction-set.

Then, unlike many opaque "knowledge-base AI" products, you can inspect exactly how over-fitted those instructions are, and ask it to iterate.

What I haven't tried is whether Cowork will auto-compact as it goes through that data set, and/or take max-context-sized chunks and give them to a sub-agent who clears its memory between each chunk. Assuming it does, it could be immensely powerful for many use cases.

If the latter, I'm a bit skeptical, as I haven't had great success with Claude's visual recognition. It regularly tells me there's nothing wrong with completely broken screenshots.

Is it that hard to check your calendar? Also feels insincere to have a meeting of say 30 mins to show a claude made deck that you did it in 4 seconds.

1. https://www.youtube.com/watch?v=Q7NZK6h9Tvo

Cowork is the nice version. The "here's a safe folder for Claude to play in" version. Which is great! Genuinely. More people should try this.

But!!! The terminal lets you do more. It always will. That's just how it works.

And when Cowork catches up, you'll want to go further. The gap doesn't close. It just moves.

All of this, though, is good? I think??

https://simonwillison.net/2026/Jan/12/claude-cowork/

Claude Cleaner, I mean Cowork will be sweeping my desktop every Friday.

Im sure itll be useful for more stuff but man…

I use Claude Code for everything. I have a short script in ~/bin/ called ,cc that I launch that starts it in an appropriate folder with permissions and contexts set up:

      ~ tree ~/claude-workspaces -d
    /Users/george/claude-workspaces
    ├── context-creator
    ├── imessage
    │   └── tmp
    │       └── contacts-lookup
    ├── modeler
    ├── research
    ├── video
    └── wiki

Likewise, the `modeler` knows to create OpenSCAD files and so on, the `wiki` context knows that I use Mediawiki for my blog and have a Template:HackerNews and how to use it and so on. I find these make doing things a lot easier and, consequently, more fun.

All of this data is trusted information: i.e. it's from me so I know I'm not trying to screw myself. My wife is less familiar with the command-line so she doesn't use Claude Code as much as me, and prefers to use ChatGPT the web-app for which we've built a couple of custom GPTs so we can do things together.

Claude is such a good model that I really want to give my wife access to it for the stuff she does (she models in Blender). The day that these models get really good at using applications on our behalf will be wonderful! Here's an example model we made the other day for the game Power Grid: https://wiki.roshangeorge.dev/w/Blog/2026-01-11/Modeling_Wit...

I have a folder which is controlled by Git, the folder contains various markdown files as my personal knowledge base and work planning files (It's a long story that I have gradually migrate from EverNote->OneNote->Obsidian->plain markdown files + Git), last time I tried to wire a Local LLM API(using LMStudio) to claude code/open code, and use the agent to analyze some documents, but the result is not quite good, either can't find the files or answer quality is bad.

It will be interesting for me, trying to figure out how to differentiate from Claude Cowork in a meaningful way, but theres a lot of room here for competition, and no one application is likely to be "the best" at this. Having said that, I am sure Claude will be the category leader for quite a while, with first mover advantage.

I'm currently rolling out my alpha, and am looking for investment & partners.

How confident are we that this is a strict measure?

I personally have zero confidence in Claude rulesets and settings as a way to fence it in. I've seen Claude decide desperately for itself what to access once it has context bloat? It can tend to ignore rules?

Unless there is a OS level restriction they are adhering to?

Is it possible this gets access to a faster API tier?

Try it https://tabtabtab.ai

Would love some feedback!

In my opinion, these things are better run the cloud to ensure you have a properly sandboxed, recoverable environment.

At this point, I am convinced that almost anyone heavily relaying on desktop chat application has far too many credentials scattered on the file system ready to be grabbed and exploited.

Unsure what the future looks like unless Frontier Labs start financing everything that is open source.

It's a very powerful way to work on all kinds of things. V. interested to try co-work when it drops to Plus subscribers.

Sharing here in case anybody from Anthropic sees and can help get this working again.

It may seem off-topic, but I think it hurts developer trust to launch new apps while old ones are busted.

On the other hand, it’s not “Claude Coder”, then it’s at least consistent.

1) Read meeting transcripts 2) Pull out key points 3) Find action items 4) Check Google Calendar 5) Build standup deck

feels like "how to put yourself out of a job 101."

It's interesting to see the marketing material be so straightforward about that.

Basic ideas are minimal privilege per task in a minimal and contained environment for everything and heavy control over all actions AI is performing. AI can performs tasks without seeing any of your personal information in the process. A new kind of orchestration and privacy layer for zero trust agentic actions.

Redactsure.com

From this feed I figured I'd plug my system, would love your feedback! I beleive we are building out a real solution to these security and privacy concerns.

While the entire field is early I do believe systems like my own and others will make these products safe and reliable in the near future.

It’s made one in the past for me with some errors, but a framework I could work with.

It created an “interactive artifact” that wouldn’t work in the browser or their apps. Gaslit me for 3 revisions of me asking why it wasn’t working.

Created a text file that it wanted me to save as a .csv to import into excel that failed hilariously.

When I asked it to convert the csv to an excel file it apologized and told me it was ready. No file to download.

I asked where the file was and it apologized again and told me it couldn’t actually do spreadsheets and at that point I was out of paid credits for 4 more hours.

Bringing that type of functionality to a wider audience and out of the CLI could be really cool!

Is this now a violation of the Claude terms of service that can get me banned from claude-code for me to continue work on these things?

otherwise, looks interesting.

Particularly in a work environment, one misfire could destroy months or years of important information.

OpenAI: we will do the Non-Code button first, then we implement the Code button.

It took some training but I'm now starting almost all tasks with claude code: need to fill out some word document, organize my mail inbox, write code, migrate blog posts from one system to another, clean up my computer...

It's not perfect perfect, but I'm having fun and I know I'm getting a lot of things done that I would not have dared to try previously.