~/docs/resources/top-6-claude-cowork-security-risks-to-watch.mdLast modified: Just now
AUDIENCE:Cyber, SOC, GRC, security leaders, and technical teams that need to move from signal to action.
PROMISE:Spot deployments, enforce MCP allowlists, and monitor scheduled tasks to catch stealthy prompt injections and session hijacks.
Spot deployments, enforce MCP allowlists, and monitor scheduled tasks to catch stealthy prompt injections and session hijacks.
Practical, readable, and actionable document.
##Why this matters
This agent reads files, runs shell commands, and uses your real Chrome sessions without audit logs.
Focus on operational controls behind Claude Cowork, not just its AI features.
Anthropic explicitly states Cowork activity is not captured in Audit Logs, Compliance API, or Data Exports Source: Source.
Cowork browses with actual Chrome, the user's real cookies, and active sessions Source: Source.
##Technical insights to keep
- -Local file system access (read/write/delete with user permission)
- -Shell command execution via MCP tools like run_shell_command
- -Browser automation using the user's real Chrome instance, cookies, and active sessions
- -Scheduled task automation running unattended on the employee's machine
- -Parallel sub-agent execution for multi-step tasks
- -Inventory all Cowork deployments, connectors, and MCP servers across engineering, operations, and business teams
- -Verify if the organization is using the Enterprise tier (required for SSO, SCIM, RBAC, Chrome off by default, and tenan.
- -Inject the `anthropic-allowed-org-ids` header at a TLS-inspecting proxy to block account-switching loopholes
- -Push `managed-settings.json` via MDM to disable bypass mode, deny credential-file reads, restrict mounts, and enforce M.
##Recommended action path
[01]Inventory all Cowork deployments, connectors, and MCP servers across engineering, operations, and business te.
[02]Verify if the organization is using the Enterprise tier (required for SSO, SCIM, RBAC, Chrome off by default.
[03]Inject the `anthropic-allowed-org-ids` header at a TLS-inspecting proxy to block account-switching loopholes
[04]Push `managed-settings.json` via MDM to disable bypass mode, deny credential-file reads, restrict mounts, and.
[05]Disable web search unless needed, set connectors to read-only, and scope file access to a dedicated folder
[06]Inventory all Cowork deployments, connectors, and MCP servers across engineering, operations, and business teams
[07]Verify if the organization is using the Enterprise tier (required for SSO, SCIM, RBAC, Chrome off by default, and tenan.
[08]Push `managed-settings.json` via MDM to disable bypass mode, deny credential-file reads, restrict mounts, and enforce M.
##Audit checklist
Group 1 : Controls
- ->Inventory all Cowork deployments, connectors, and MCP servers across engineering, operations, and business teams
- ->Verify if the organization is using the Enterprise tier (required for SSO, SCIM, RBAC, Chrome off by default, and tenan.
- ->Inject the `anthropic-allowed-org-ids` header at a TLS-inspecting proxy to block account-switching loopholes
- ->Push `managed-settings.json` via MDM to disable bypass mode, deny credential-file reads, restrict mounts, and enforce M.
Group 2 : Evidence
- ->Disable Chrome integration unless a specific, justified use case exists
- ->Apply IAM controls to AI workflows, agents, and connected tools; monitor MCP connectors and granted permissions
- ->Treat all MCP tool results as untrusted data to mitigate prompt injection from crafted GitHub issues or poisoned databa.
- ->Remove unused MCP servers to reduce attack surface
Group 3 : Pitfalls
- ->Indirect prompt injection via malicious documents, PDFs, or web pages that redirect agent behavior without user knowled.
- ->No audit logging: Cowork activity is excluded from Anthropic Audit Logs, Compliance API, and Data Exports, creating a c.
- ->Data exfiltration of sensitive local files (credentials, API keys, PII) stored in Documents, Downloads, or Desktop fold.
- ->Autonomous execution without human-in-the-loop oversight, allowing consequential actions like file modifications or web.
##Operational view
The flow connects baseline, deployment, audit evidence, and ongoing maintenance.
Baseline
- ├─Inventory all Cowork deployments, connectors, and MCP servers across engineering, operations, and business teams
- └─Verify if the organization is using the Enterprise tier (required for SSO, SCIM, RBAC, Chrome off by default, and tenan.
Deployment
- ├─Inventory all Cowork deployments, connectors, and MCP servers across engineering, operations, and business te.
- └─Verify if the organization is using the Enterprise tier (required for SSO, SCIM, RBAC, Chrome off by default.
Evidence
- ├─Disable Chrome integration unless a specific, justified use case exists
- └─Apply IAM controls to AI workflows, agents, and connected tools; monitor MCP connectors and granted permissions
Maintenance
- ├─Review configuration drift
- └─Plan updates
