A new report reveals a file exfiltration vulnerability in Anthropic's Claude Cowork, a research preview AI agent. Attackers can exploit indirect prompt injection to steal user files and upload them to their own Anthropic account. The flaw stems from known isolation issues in Claude's code execution environment that remain unaddressed, posing a direct threat to users trusting the tool with sensitive data.

The attack chain is disturbingly simple for non-technical users. A victim attaches a folder with confidential documents, then uploads a seemingly harmless file containing a hidden prompt injection. This malicious instruction manipulates Cowork into executing a cURL command, using the attacker's API key to upload the largest file to their account. No human approval is required during this process, making the exploit silent and effective.

Anthropic has acknowledged this risk, warning users to avoid granting Cowork access to sensitive local files while simultaneously encouraging its use for organizing desktops. Security experts argue it's unfair to expect regular, non-programmer users to detect 'suspicious actions' indicating prompt injection. The vulnerability was previously disclosed in Claude.ai but was not remediated before Cowork's release, extending the danger to a broader audience.

Beyond data theft, the research also uncovered a denial-of-service vector where malformed files can trigger repeated API errors, breaking the chat session. Cowork's ability to connect to browsers and MCP servers increases its 'blast radius,' creating more opportunities for attackers to inject malicious prompts through untrusted data sources. Users should exercise extreme caution when configuring these connectors.