On March 23, Anthropic announced that Claude can now point, click, and navigate your Mac like a human user. Through Claude Cowork and Claude Code, subscribers can hand their desktops to an AI agent that opens apps, fills spreadsheets, manages email, and executes multi-step workflows autonomously.
A week earlier, Anthropic launched Dispatch: a persistent conversation between your phone and your Mac. Message Claude from the airport, come back to finished work on your desktop. The pitch is compelling. The demo video shows Claude exporting a pitch deck as a PDF and attaching it to a meeting invite while the user runs late.
Here's the problem: the fundamental vulnerability that lets attackers hijack AI agents, prompt injection, hasn't been solved. Anthropic's own documentation acknowledges that "in some circumstances, Claude will follow commands found in content even if it conflicts with the user's instructions." That admission was acceptable when Claude could only generate text. Now it can move your mouse.
The Two-Tier Security Model Nobody Is Examining
Claude's computer use follows a hierarchy. When you ask it to send a Slack message, it first tries the Slack connector: an API integration with proper authentication, rate limits, and audit logs. If no connector exists for the task, Claude falls back to raw desktop control: clicking through the UI with your mouse and keyboard.
This creates a two-tier security model with radically different properties for the same action. Sending a Slack message through the connector produces an API-level audit trail. Sending the same message by clicking through the Slack UI produces nothing. The user may not even know which path Claude chose.
For enterprises evaluating this technology, the fallback path is the one that matters. Connectors exist for a handful of popular services. Everything else, and there's a lot of everything else, routes through unaudited desktop control. The security posture of your AI agent depends entirely on which execution path it takes, and that decision happens invisibly.
Prompt Injection Just Graduated from Text to Desktop Actions
I've written extensively about prompt injection risks in agentic AI systems. The core attack is straightforward: an attacker hides malicious instructions inside content the AI processes, and the AI follows those instructions instead of the user's. When the AI could only generate text, prompt injection could leak context or produce misleading output. Annoying, but containable.
Computer use changes the equation. A prompt injection that hits Claude during a desktop workflow doesn't just produce bad text. It can click buttons, navigate to URLs, open terminals, and execute commands. The attack surface expanded from "what Claude can say" to "what Claude can do," which now includes everything a human user can do at a keyboard.
Anthropic reports a roughly 1% attack success rate on prompt injection even after mitigations. That sounds low until you consider the agent loop architecture. Claude's computer use works in cycles: take a screenshot, decide what to click, execute the action, take another screenshot, repeat. A 10-step workflow means 10 screenshots, each containing on-screen content that could harbor injected instructions. The cumulative exposure isn't 1%; it's compounding with every iteration.
This is the same pattern I described in The Visual Prompt Injection Problem: when AI systems process visual inputs, every pixel on screen becomes a potential attack vector. Computer use makes this concrete. An attacker doesn't need to compromise your system. They need to put the right text on a webpage that Claude screenshots during a task.
The Track Record Isn't Reassuring
Anthropic's security track record with Cowork specifically should give enterprises pause.
In October 2025, security researcher Johann Rehberger disclosed a file exfiltration vulnerability to Anthropic via HackerOne. The attack was elegant: a .docx file containing a hidden prompt injection (1-point white-on-white text) instructs Claude to execute a curl command to Anthropic's own file upload API using the attacker's API key. Because Cowork's VM whitelists the Anthropic API as trusted, the exfiltration succeeds. Anthropic closed the bug report within an hour.
When Cowork launched in January 2026, nearly three months later, the vulnerability was still present. Anthropic shipped a product to millions of users with a known file exfiltration path. The partial patch didn't arrive until mid-February.
This isn't an isolated case. CVE-2025-59536 (CVSS 8.7) enabled remote code execution through malicious .claude/settings.json files in cloned repositories. CVE-2026-21852 (CVSS 5.3) allowed API key exfiltration via ANTHROPIC_BASE_URL override. Security researchers at koi.ai found that three official Claude Desktop extensions, the Chrome, iMessage, and Apple Notes connectors, all contained unsanitized command injection vulnerabilities where a single malicious website could turn a question into arbitrary code execution.
The pattern is consistent: ship fast, patch later. That approach carries different stakes when the AI can control your desktop.
Enterprise Governance: The Audit Log Gap
For enterprises operating under compliance requirements, the governance picture is stark. According to MintMCP's analysis, Cowork activity is excluded from Anthropic's audit logs, Compliance API, and data exports. Anthropic explicitly states Cowork should not be used for regulated workloads.
The compliance status by framework:
- SOC 2 Type II: Limited. Cowork actions not captured in audit trail.
- HIPAA: Not ready. No PHI audit trail.
- PCI-DSS: Not ready. No audit trail for cardholder data.
- GDPR: Evaluate cautiously. Activity not captured in audit tools.
- FedRAMP: Not authorized.
This matters because computer use dramatically expands what Cowork can access. Before computer use, Claude interacted with files and APIs. Now it can see and interact with anything on screen: browser sessions with saved credentials, open documents, email inboxes, calendar entries, internal dashboards. All without generating a compliance-ready log of what it accessed.
Pro and Max plans, which include computer use, lack organization-level admin controls. Meaningful governance requires Team or Enterprise plans with centralized administration and plugin governance. The feature most likely to create compliance incidents is available on the plans least equipped to manage them.
Shadow IT at Desktop Scale
When I wrote about shadow AI and data exfiltration risk, the concern was employees using AI chatbots to process sensitive data without IT oversight. Computer use accelerates this problem by an order of magnitude.
An employee can now build entire automated desktop workflows that IT cannot see, audit, or control. These workflows inherit the employee's full system access: browser sessions, file system, credentials stored in keychains, SSH keys, environment variables. The shadow IT problem just went from "someone is using ChatGPT" to "someone built an autonomous agent that runs their entire morning workflow and nobody in IT knows it exists."
Dispatch makes this worse. An employee assigns a task from their phone during breakfast. Claude executes it on their work Mac. By the time they arrive at the office, the autonomous workflow has accessed, processed, and potentially transmitted data through paths that no security tool monitored. The agentic identity crisis that Okta flagged isn't theoretical anymore. It's running on employees' Macs right now.
The Competitive Context
Anthropic isn't alone in this space. OpenAI's Operator uses the O3 reasoning model for browser-based automation, though it's restricted to web tasks and cannot control local desktop apps or files. Google's Project Mariner extends Gemini into autonomous agent territory. Perplexity has its own computer tool.
But Anthropic went further than any competitor by combining full desktop control, a persistent cross-device conversation (Dispatch), and local file system access. That combination creates the largest attack surface of any shipping AI agent product.
This is happening while Anthropic's own threat intelligence team is disrupting state-sponsored campaigns that already use Claude's agentic capabilities for espionage. A Chinese state-sponsored group manipulated Claude into targeting roughly 30 global entities. The tool being weaponized by nation-state actors just got more capable.
What This Means for Security Leaders
Computer use isn't going away. The productivity potential is real, and the market is moving fast. But deploying this technology responsibly requires clear-eyed assessment of what's changed:
The attack surface expanded from APIs to everything on screen. Any content Claude can see during a desktop workflow is a potential prompt injection vector. That includes web pages, documents, emails, notifications, and any other application window visible during screenshots.
Audit trails are inadequate. If your compliance framework requires logging access to sensitive data, Cowork's computer use feature doesn't meet that bar. Connector-based actions may log properly; desktop control actions don't.
The fallback hierarchy is a security model problem. You need to understand which actions route through connectors (audited, rate-limited) and which fall back to desktop control (unaudited, unrestricted). Right now, there's no easy way to enforce connector-only operation.
Scope controls don't exist yet. There's no mechanism to say "Claude can access Slack and Google Docs but not the terminal, not the browser's saved sessions, and not the file system beyond /Documents/safe-folder." The permission model is binary: Claude can use the computer, or it can't.
The OWASP Top 10 for Agentic Applications provides a solid framework for thinking about these risks. Agent Goal Hijack (ASI01), Tool Misuse (ASI02), and Identity & Privilege Abuse (ASI03) all apply directly to computer use scenarios. If your security team hasn't reviewed this framework, now is the time.
Anthropic built something genuinely impressive. The connector-first architecture is smart. The sandboxing (84% permission prompt reduction via OS-level isolation) shows they're thinking about safety. But the gap between "thinking about safety" and "safe enough for enterprise deployment" remains wide, and shipping computer use before closing that gap is a choice that puts the burden of risk assessment squarely on the enterprises evaluating adoption.
The AI agent just got promoted to desktop employee. Make sure your security model can handle the new hire.
