Cowork: Claude Code for the rest of your work

Worth calling out that execution runs in a full virtual machine with only user-selected folders mounted in. CC itself runs, if the user set network rules, with https://github.com/anthropic-experimental/sandbox-runtime.

There is much more to do - and our docs reflect how early this is - but we're investing in making progress towards something that's "safe".

> (I don't think it's fair to ask non-technical users to look out for "suspicious actions that may indicate prompt injection" personally!)

It's the "don't click on suspicious links" of the LLM world and will be just as effective. It's the system they built that should prevent those being harmful, in both cases.

There's no AI that's secure and capable of doing anything an idiot would do on the internet with whatever data you give it.

This is a perfect encapsulation of the same problem: https://www.reddit.com/r/BrandNewSentence/comments/jx7w1z/th...

Substitute AI with Bear

That's why I run it inside a sandbox - https://github.com/ashishb/amazing-sandbox

Prompt injection will never be "solved". It will always be a threat.

What would you consider a tight sandboxed without exfiltration vectors? Agents are used to run arbitrary compute. Even a simple write to disk can be part of an exfiltration method. Instructions, bash scripts, programs written by agents can be evaluated outside the sandbox and cause harm. Is this a concern? Or, alternatively, your concern is what type of information can leak outside of that particular tight sandbox? In this case I think you would have to disallow any internet communication besides the LLM provider itself, including the underlying host of the sandbox.

You brought this up a couple of times now, would appreciate clarification.

I do get a "Setting up Claude's workspace" when opening it for the first time - it appears that this does do some kind of sandboxing (shared directories are mounted in).

I built https://github.com/nezhar/claude-container for exactly this reason - it's easy to make mistakes with these agents even for technical users, especially in yolo mode.

> (I don't think it's fair to ask non-technical users to look out for "suspicious actions that may indicate prompt injection" personally!)

Yes, but at least now its only restricted to Claude Max subscribers, who are likely to be at least semi-technical (or at least use AI a lot)?

If you're on Linux, you can run AI agents in Firejail to limit access to certain folders/files.

Is there any reasonably fast and portable sandboxing approach that does not require a full blown VM or containers? For coding agents containers are probably the right way to go, but for something like Cowork that is targeted at non-technical users who want or have to stay local, what's the right way?

container2wasm seems interesting, but it runs a full blown x86 or ARM emulator in WASM which boots an image derived from a docker container [0].

[0] https://github.com/container2wasm/container2wasm

That's one thing. Another would be introducing homomorphic encryption in order for companies and people using their models to stay compliant and private. I can't believe it's such an under-researched area in AI.

> tells users "Avoid granting access to local files with sensitive information, like financial documents"

Good job that video of it organising your Desktop doesn't show folders containing 'Documents', 'Photos', and 'Projects'!

Oh wait.

My entire job is working with financial documents so this doesn't really do much for me

How does prompt injection happen? Or is it more a new link in a chain of existing failures?

Problem is technical people on average (I wouldn't say all of us) know what we don't know. I'm naturally cautious when running new stuff or even just trying something new in life.

This is why the Android permissions system of "allow this app to x, y, z" whilst great for me, isn't really a good system for the average person, because what do they do "yes, yes, yes, just let me see my Tiktoks!1111"

I haven't dug too deep, but it appears to be using a bubblewrap sandbox inside a vm on the Mac using Apple's Virtualization.framework from what I can tell. It then uses unix sockets to proxy network via socat.

ETA: used Claude Code to reverse engineer it:

   Insight ─────────────────────────────────────

  Claude.app VM Architecture:
  1. Uses Apple's Virtualization.framework (only on ARM64/Apple Silicon, macOS 13+)
  2. Communication is via VirtioSocket (not stdio pipes directly to host)
  3. The VM runs a full Linux system with EFI/GRUB boot

  ─────────────────────────────────────────────────

        ┌─────────────────────────────────────────────────────────────────────────────────┐
        │  macOS Host                                                                     │
        │                                                                                 │
        │  Claude Desktop App (Electron + Swift native bindings)                          │
        │      │                                                                          │
        │      ├─ @anthropic-ai/claude-swift (swift_addon.node)                           │
        │      │   └─ Links: Virtualization.framework (ARM64 only, macOS 13+)            │
        │      │                                                                          │
        │      ↓ Creates/Starts VM via VZVirtualMachine                                   │
        │                                                                                 │
        │  ┌──────────────────────────────────────────────────────────────────────────┐  │
        │  │  Linux VM (claudevm.bundle)                                              │  │
        │  │                                                                          │  │
        │  │  ┌────────────────────────────────────────────────────────────────────┐  │  │
        │  │  │  Bubblewrap Sandbox (bwrap)                                        │  │  │
        │  │  │  - Network namespace isolation (--unshare-net)                     │  │  │
        │  │  │  - PID namespace isolation (--unshare-pid)                         │  │  │
        │  │  │  - Seccomp filtering (unix-block.bpf)                              │  │  │
        │  │  │                                                                    │  │  │
        │  │  │  ┌──────────────────────────────────────────────────────────────┐  │  │  │
        │  │  │  │  /usr/local/bin/claude                                       │  │  │  │
        │  │  │  │  (Claude Code SDK - 213MB ARM64 ELF binary)                  │  │  │  │
        │  │  │  │                                                              │  │  │  │
        │  │  │  │  --input-format stream-json                                  │  │  │  │
        │  │  │  │  --output-format stream-json                                 │  │  │  │
        │  │  │  │  --model claude-opus-4-5-20251101                            │  │  │  │
        │  │  │  └──────────────────────────────────────────────────────────────┘  │  │  │
        │  │  │       ↑↓ stdio (JSON-RPC)                                          │  │  │
        │  │  │                                                                    │  │  │
        │  │  │  socat proxies:                                                    │  │  │
        │  │  │  - TCP:3128 → /tmp/claude-http-*.sock (HTTP proxy)                │  │  │
        │  │  │  - TCP:1080 → /tmp/claude-socks-*.sock (SOCKS proxy)              │  │  │
        │  │  └────────────────────────────────────────────────────────────────────┘  │  │
        │  │                                                                          │  │
        │  └──────────────────────────────────────────────────────────────────────────┘  │
        │           ↕ VirtioSocket (RPC)                                                 │
        │      ClaudeVMDaemonRPCClient.swift                                             │
        │           ↕                                                                    │
        │      Node.js IPC layer                                                         │
        └─────────────────────────────────────────────────────────────────────────────────┘

ComponentDetailsKernelLinux 6.8.0-90-generic aarch64 (Ubuntu PREEMPT_DYNAMIC)OSUbuntu 22.04.5 LTS (Jammy Jellyfish)HostnameclaudeCPU4 cores, Apple Silicon (virtualized), 48 BogoMIPSRAM3.8 GB total (~620MB used at idle)SwapNone

Storage Layout

DeviceSizeTypeMount PointPurpose/dev/nvme0n1p19.6 GBext4/Root filesystem (rootfs.img)/dev/nvme0n1p1598 MBvfat/boot/efiEFI boot partition/dev/nvme1n19.8 GBext4/sessionsSession data (sessiondata.img)virtiofs-virtiofs/mnt/.virtiofs-root/shared/...Host filesystem access

Filesystem Mounts (User Perspective)

        /sessions/gallant-vigilant-lamport/
        ├── mnt/
        │   ├── claude-cowork/     → Your selected folder (virtiofs + bindfs)
        │   ├── .claude/           → ~/.claude config (bindfs, rw)
        │   ├── .skills/           → Skills/plugins (bindfs, ro)
        │   └── uploads/           → Uploaded files (bindfs)
        └── tmp/                   → Session temp files
        
        Session User
        A dedicated user is created per session with a Docker-style random name:
        User: gallant-vigilant-lamport
        UID:  1001
        Home: /sessions/gallant-vigilant-lamport
        Process Tree
        PID 1: bwrap (bubblewrap sandbox)
        └── bash (shell wrapper)
            ├── socat TCP:3128 → unix socket (HTTP proxy)
            ├── socat TCP:1080 → unix socket (SOCKS proxy)
            └── /usr/local/bin/claude (Claude Code SDK)
                └── bash (tool execution shells)

        Security Layers

        Apple Virtualization.framework - Hardware-level VM isolation
        Bubblewrap (bwrap) - Linux container/sandbox

        --unshare-net - No direct network access
        --unshare-pid - Isolated PID namespace
        --ro-bind / / - Read-only root (with selective rw binds)


        Seccomp - System call filtering (unix-block.bpf)
        Network Isolation - All traffic via proxied unix sockets

        Network Architecture
        ┌─────────────────────────────────────────────────────────────┐
        │  Inside Sandbox                                             │
        │                                                             │
        │  claude process                                             │
        │      │                                                      │
        │      ↓ HTTP/HTTPS requests                                  │
        │  localhost:3128 (HTTP proxy via env vars)                   │
        │      │                                                      │
        │      ↓                                                      │
        │  socat → /tmp/claude-http-*.sock ─────────┐                │
        │                                            │                │
        │  localhost:1080 (SOCKS proxy)              │                │
        │      │                                     │                │
        │      ↓                                     │                │
        │  socat → /tmp/claude-socks-*.sock ────────┤                │
        └───────────────────────────────────────────┼────────────────┘
                                                    │
                                VirtioSocket ←──────┘
                                                    │
        ┌───────────────────────────────────────────┼────────────────┐
        │  Host (macOS)                             │                │
        │                                           ↓                │
        │                              Claude Desktop App            │
        │                                           │                │
        │                                           ↓                │
        │                                    Internet                │
        └─────────────────────────────────────────────────────────────┘
        Key insight: The VM has only a loopback interface (lo). No eth0, no bridge. All external network access is tunneled through unix sockets that cross the VM boundary via VirtioSocket.


  Communication Flow

  From the logs and symbols:

  1. VM Start: Swift calls VZVirtualMachine.start() with EFI boot
  2. Guest Ready: VM guest connects (takes ~6 seconds)
  3. SDK Install: Copies /usr/local/bin/claude into VM
  4. Process Spawn: RPC call to spawn /usr/local/bin/claude with args

  The spawn command shows the actual invocation:
  /usr/local/bin/claude --output-format stream-json --verbose \
    --input-format stream-json --model claude-opus-4-5-20251101 \
    --permission-prompt-tool stdio --mcp-config {...}

Terrible advice to users: be on the lookout for suspicious actions. Humans are terrible at this.

Frequency vs. convenience will determine how big of a deal this is in practice.

Cars have plenty of horror stories associated with them, but convenience keeps most people happily driving everyday without a second thought.

Google can quarantine your life with an account ban, but plenty of people still use gmail for everything despite the stories.

So even if Claude cowork can go off the rails and turn your digital life upside down, as long as the stories are just online or "friend of a friend of a friend", people won't care much.

The first version is for macOS, which has snapshots [1] and file versioning [2] built-in.

[1]: https://eclecticlight.co/2024/04/08/apfs-snapshots/

[2]: https://eclecticlight.co/2021/09/04/explainer-the-macos-vers...

Once upon a time, in the magical days of Windows 7, we had the Volume Shadow Copy Service (aka "Previous Versions") available by default, and it was so nice. I'm not using Windows anymore, and at least part of the reason is that it's just objectively less feature complete than it used to be 15 years ago.

Somewhat related is a concern I have in general as things get more "agentic" and related to the prompt injection concerns; without something like legally bullet-proof contracts, aren't we moving into territory of basically "employing" what could basically be "spies" at all levels from personal (i.e., AI company staff having access to your personal data/prompts/chats) to business/corporate espionage, to domestic and international state level actors who would also love to know what you are working on and what you are thinking/chatting about and maybe what your mental health challenges are that you are working through with an AI chat therapist.

I am not even certain if this issue can be solved since you are sending your prompts and activities to "someone else's computer", but I suspect if it is overlooked or hand-waved as insignificant, there will be a time when open, local models will become useful enough to allow most to jettison cloud AI providers.

I don't know about everyone else, but I am not at all confident in allowing access and sending my data to some AI company that may just do a rug pull once they have an actual virtual version of your mind in a kind of AI replication.

I'll just leave it at that point and not even go into the ramifications of that, e.g., "cybercrimes" being committed by "you", which is really the AI impersonator built based on everything you have told it and provide access to.

Q: What would prevent them from using git style version control under the hood? User doesn’t have to understand git, Claude can use it for its own purposes.

Indeed there are and this is no rocket science. Like Word Documents offer a change history, deleted files go to the trash first, there are undo functions, TimeMachine on MacOs, similar features on Windows, even sandbox features.

>>I expect to see many stories from parents, non-technical colleagues, and students who irreparably ruined their computer.

I do believe the approach Apple is taking is the right way when it comes to user facing AI.

You need to reduce AI to being an appliance that does one or at most a few things perfectly right without many controls with unexpected consequences.

Real fun is robots. Not sure no one is hurrying up on that end.

>>Edit: most comments are focused on pointing out that version control & file system snapshot exists: that's wonderful, but Claude Cowork does not use it.

Also in my experience this creates all kinds of other issues. Like going back up a tree creates all kinds of confusions and keeps the system inconsistent with regards to whatever else it is you are doing.

You are right in your analysis that many people are going to end up with totally broken systems

In theory the risk is immense and incalculable, but in practice I've never found any real danger. I've run wide open powershell with an OAI agent and just walked away for a few hours. It's a bit of a rush at first but then you realize it's never going to do anything crazy.

The base model itself is biased away from actions that would lead to large scale destruction. Compound over time and you probably never get anywhere too scary.

There's no reason why Claude can't use git to manage the folders that it controls.

TimeMachine has never been so important.

IIUC, this is a preview for Claude Max subscribers - I'm not sure we'll find many teachers or students there (unless institutions are offering Max-level enterprise/team subscriptions to such groups). I speculate that most of those who will bother to try this out will be software engineering people. And perhaps they will strengthen this after enough feedback and use cases?

If this is like Claude Code for everyone else, shouldn’t it be snapshotting anything it changes so that you can go back to the previous state?

Yeah, seems like this could be achieved by using https://github.com/streamich/memfs/blob/master/docs/snapshot...

Weird they don't use it - might backfire hard

Pretty much every company I work with uses the desktop sync tools for OneDrive/GoogleDrive/Dropbox etc.

It would be madness to work completely offline these days, and all of these systems have version history and document recovery built in.

I hope we see further exploration into immutable/versioned filesystems and databases where we can really let these things go nuts, commit the parts we want to keep, and revert the rest for the next iteration.

I would never use what is proposed by OP. But, in any case, Linux on ZFS that is automatically snapshotted every minute might be (part of) a solution to this dilemma.

You make a good point. I imagine that they will eventually add Perforce-style versioning to the product and this issue will be solved.

So the future is NixOS for non-technical people?

A human can also accidentally delete or mess up some files. The question is whether Claude Cowork is more prone to it.

There was a couple of posts here on hacker news praising agents because, it seems, they are really good at being a sysadmin. You don't need to be a non-technical user to be utterly fucked by AI.

Not a big problem to make snapshots with lvm or zfs and others. I use it automatically on every update

Your terms for Claude Max point to the consumer ToS. This ToS states it cannot be used for commercial purposes. Why is this? Why are you marketing a product clearly for business use and then have terms that strictly forbid it.

I’ve been trying to reach a human at Anthropic for a week now to clarify this on behalf of our company but can’t get past your AI support.

Hi Felix!

Simple suggestion: logo should be a cow and and orc to match how I originally read the product name.

AI and Claude Code are incredible tools. But use cases like "Organize my desktop" are horrible misapplications that are insecure, inefficient and a privacy nightmare. Its the smart refrigerator of this generation of tech.

I worry that the average consumer is none the wiser but I hope a company that calls itself Anthropic is anthropic. Being transparent about what the tool is doing, what permissions it has, educating on the dangers etc. are the least you can do.

With the example of clearing up your mac desktop: a) macOS already autofolds things into smart stacks b) writing a simple script that emulates an app like Hazel is a far better approach for AI to take

Looks cool, and I'm guilty as charged of using CC for more than just code. However, as a Max subscriber since the moment it was a thing, I find it a bit disheartening to see development resources being poured into a product that isn't available on my platform. Have you considered adding first-class support for Linux? -- Or for that matter sponsoring one of the Linux repacks of Claude Desktop on Github? I would love to use this, but not if I need to jump through a bunch of hoops to get it up and running.

Hi there, your training and inference rely on the openness of Linux. Would you consider giving something back with Claude for Linux?

What probability would you give for Linux support for Claude Desktop in 2026?

Beachball of death on “Starting Claude’s workspace” on the Cowork tab. Force quit and relaunch, and Claude reopens on the Cowork tab, again hanging with the beachball of death on “Starting Claude’s workspace”.

Deleting vm_bundles lets me open Claude Desktop and switch tabs. Then it hangs again, I delete vm_bundles again, and open it again. This time it opens on the Chat tab and I know not to click the Cowork tab...

@Felix - How are you thinking about observability? Anthropic is very clear that evals are critical for agentic processes (your engineering blog just covered this last week). For my whole company to roll out access to agents for all staff, I'd need some way for staff (or IT) to be able to know (a) how reliable the systems are (i.e., evals), (b) how safe the systems are (could be audit trails), and (c) how often the access being given to agents is the right amount of access.

This has been one of the biggest bottlenecks for our company: not the capability of the agents themselves -- the tools needed to roll them out responsibly.

You released it at just the right time for me. When I saw your announcement, I had two tasks that I was about to start working on: revising and expanding a project proposal in .docx format and adapting some slides (.pptx) from a past presentation for different audience.

I created a folder for Cowork, copied a couple of hundred files into it related to the two tasks, and told Claude to prepare a comprehensive summary in markdown format of that work (and some information about me) for its future reference.

The summary looked good, so I then described the two tasks to Claude and told it to start working.

Its project proposal revision was just about perfect. It took me only about 10 more minutes to polish it further and send it off.

The slides took more time to fix. The text content of some additional slides that Claude created was quite good and I ended up using most of it, but the formatting did not match the previous slides and I had to futz with it a while to make it consistent. Also, one slide it created used a screenshot it took using Chrome from a website I have built; the screenshot didn’t illustrate what it was supposed to very well, so I substituted a couple of different screenshots that I took myself. That job is now out the door, too.

I had not been looking forward to either of those two tasks, so it’s a relief to get them done more quickly than I had expected.

One initial problem: A few minutes into my first session with Claude in Cowork, after I had updated the app, it started throwing API errors and refusing to respond. I used the "Clear Cache and Restart" from the Troubleshooting menu and started over again from the start. Since then there have been no problems.

Hey, congrats on the launch. Been thinking lot about this space (wrote this back in August: https://martinalderson.com/posts/building-a-tax-agent-with-c...).

Would love to connect, my emails in my bio if you have time!

Hi Felix, this looks like an incredible tool. I've been helping non-tech people at my org make agent flows for things like data analysis—this is exactly what they need.

However, I don't see an option for AWS Bedrock API in the sign up form, is it planned to make this available to those using Bedrock API to access Claude models?

Being able to undo any changes that Cowork makes seems important. Any plans for automatic snapshots or an undo log?

Was looking forward to try it, but just processing a notion page and prepare an outline for a report breaks it: This is taking longer than usual...(14m 2s)

/e: stopped it and retried. it seems it can't use the connectors? I get No such tool available

Question: I see that the “actions hints” in the demo show messaging people as an option.

Is this a planned usecase, for the user to hand over human communication in, say, slack or similar? What are the current capabilities and limitations for that?

I guess you need to know about this: https://news.ycombinator.com/item?id=46597781

Hey Felix, would love to give you feedback, but the language redirect of the website is trying to route me to de-de, and thus I can't see the page.

You might want to fix this.

Why do all similar demos show “prep the deck” use case as if everybody is building power point slides all day long?

Would love to see a Linux native application for this, after all a lot of folks are using it more and more these days.

Hullo! Congrats on shipping this, it looks great!

I'm very curious about what you mean by 'cross device sync' in the post?

Do you expect more token usage with it or will Anthropic change the limits of user token limit in the future?

Cheers Felix, congrats on the launch!

The announcement says existing connectors work, but only Claude for chrome does.

Congrats! I'll be working this out. It doesn't seem that you can connect to gmail currently through cowork right now. When will the connectors roll out for this? (Gmail works fine in chats currently).

Looks good so far - I hope Windows support follows soon!

Can you release custom GPTs like ChatGPT has?

would like to be able to point at aws bedrock models like i can with claude code

Hi! Windows support when?

hello Felix, that page is 404 here at the moment :(

Congrats Felix :)

Please give me access via api key

It's great and reassuring to know that, in this day and age, products still get made entirely by one individual.

> Hi, Felix from the team here, this is my product - let us know what you think. > We're on purpose releasing this very early, we expect to rapidly iterate on > it.

> (We're also battling an unrelated Opus 4.5 inference incident right now, so > you might not see Cowork in your client right away.)

hope u used these. can drastically reduce the 11mb to a couple of hundred kilobytes.

https://github.com/thameera/harcleaner and https://har-sanitizer.pages.dev/

A more easy reproduction: disable JS.

To bypass: `.transition_wrap { display: none }`

On android, these don't work: Firefox Chrome Firefox focus :-(

Thanks anthropic

doesn't work.

you could have made if much simpler using playwright mcp.

You could figure it out yourself under 5 mins. Nothing crazy here.

Some do, some don't.

The reality is there are some of us who truly just don't care. The convenience outweighs the negative. Yesterday I told an agent, "here's my api key and my root password - do it for me". Privacy has long since been dead, but at least for myself opsec for personal work is too.

When choosing between convenience and privacy, most people seem to choose convenience

I have my bank statements on a drive on a cloud. We are way past that phase.

There has to be a way to set permissions right? The demo video they provided doesn't even need permission to read file contents, just read the file titles and sort them into folders based on that. It would be a win-win anyways, less tokens going into Claude -> lower bill for customer, more privacy, and more compute available to Anthropic to process more heavy workloads.

But I don't want alphabetical. Alphabetical is just a known sort order so I can find the file I want. How about it sorts by "this is the file you're looking for"?

Have you ever used any Anthropic AI product? You cannot literally do anything without big permissions, warnings, or annoying always-on popup warning you about safety.

     v-- click!
  [ACCEPT] [CANCEL]

Ship has sailed. I have my deepest secrets in Gmail and Docs. We need big tech to make this secure as possible from threats. Scammers and nations alike.

I pray for whoever has to review the slop I've generated.

A few months ago I would have said that no, Anthropic make it very clear that they don't ever train on customer data - they even boasted about that in the Claude 3.5 Sonnet release back in 2024: https://www.anthropic.com/news/claude-3-5-sonnet

> One of the core constitutional principles that guides our AI model development is privacy. We do not train our generative models on user-submitted data unless a user gives us explicit permission to do so.

But they changed their policy a few months ago so now as-of October they are much more likely to train on your inputs unless you've explicitly opted out: https://www.anthropic.com/news/updates-to-our-consumer-terms

This sucks so much. Claude Code started nagging me for permission to train on my input the other day, and I said "no" but now I'm always going to be paranoid that I miss some opt-out somewhere and they start training on my input anyway.

And maybe that doesn't matter at all? But no AI lab has ever given me a convincing answer to the question "if I discuss company private strategy with your bot in January, how can you guarantee that a newly trained model that comes out in June won't answer questions about that to anyone who asks?"

I don't think that would happen, but I can't in good faith say to anyone else "that's not going to happen".

For any AI lab employees reading this: we need clarity! We need to know exactly what it means to "improve your products with your data" or whatever vague weasel-words the lawyers made you put in the terms of service.

> I mean, we all know that they're only doing this to build a training data set

That's not a problem. It leads to better models.

> to put your business out of business and capture all the value for themselves, right?

That's both true and paranoid. Yes, LLMs subsume most of the software industry, and many things downstream of it. There's little anyone can do about it; this is what happens when someone invents a brain on a chip. But no, LLM vendors aren't gunning for your business. They neither care, nor have the capability to perform if they did.

In fact my prediction is that LLM vendors will refrain from cannibalizing distinct businesses for as long as they can - because as long as they just offer API services (broad as they may be), they can charge rent from an increasingly large amount of the software industry. It's a goose that lays golden eggs - makes sense to keep it alive for as long as possible.

Its impossible to explain this to the business owners, giving a company this much access cant end up well. Right now, Google, Slack, Apple have a share of the data but with this Claude can get all of that.

This is the AI era equal to "I can't share my ideas because you will steal them"

Reality is good ideas and a few SOPs do not make a successful business.

It's either that, or you are 100X slower for not using Claude Code. The manpower per hour savings are most likely more worth it than protecting some inputs.

You could also always run a local LLM like GLM for sensitive documents or information on a separate computer, and never expose that to third party LLMs.

You also need to remember that if you hire regular employees that they are still untrustworthy at a base level. There needs to be some obfuscation anyway since they can steal your data/info too as a human. Very common case especially when they run off to China or something to clone your company where IP laws don't matter.

I believe the idea is that it “files away” the files into folders.

> They can and most likely will release something that vaporises the thin moat you have built around their product.

As they should if they're doing most of the heavy lifting.

And it's not just LLM adjacent startups at risk. LLMs have enabled any random person with a claude code subscription to pole vault over your drying up moat over the course of a weekend.

Best defense is to basically stay small/niche enough that the big guys don't think your work is worth consuming/competing with directly.

There will always be a market for dedicated tools that do really specific things REALLY well.

I think that feeling is what you get when you read too much Hacker News :) There are, in fact, more startups being created now than ever. And I promise you, people said the same thing about going up against IBM back in the day...

When they go wide, you go deep

I agree that for writing documents and for a lot of other things like editing csv files or mockups, I want to be immersed in the editor together with Claude Code, not in a chat separated from my editors

Hey, don't forget booking your flights! Because everyone who has ever flown knows it's very safe to let an RNG machine book something like a flight for you!

Now they can start saying 90% of the meetings will be done by Claude agents by 2027 (And we will all get free puppies)

Then there's the shuffling around of atoms.

> you automated software development

very far from being true

I keep seeing “Claude image understanding is poor” being repeated, but I’ve experienced the opposite.

I was running some sentiment analysis experiments; describe the subject and the subjects emotional state kind of thing. It picked up on a lot of little detail; the brand name of my guitar amplifier in the background, what my t shirt said and that I must enjoy craft beer and or running (it was a craft beer 5k kind of thing), and picked up on my movement through multiple frames. This was a video slicing a frame every 500ms, it noticed me flexing, giving the finger, appearing happy, angry, etc. I was really surprised how much it picked up on, and how well it connected those dots together.

> Claude is definitely not taking screenshots of that desktop & organizing, it's using normal file management cli tools

Are you sure about that?

Try "claude --chrome" with the CLI tool and watch what it does in the web browser.

It takes screenshots all the time to feed back into the multimodal vision and help it navigate.

It can look at the HTML or the JavaScript but Claude seems to find it "easier" to take a screenshot to find out what exactly is on the screen. Not parse the DOM.

So I don't know how Cowork does this, but there is no reason it couldn't be doing the same thing.

Maybe at one time, but it absolutely understands images now. In VSCode Copilot, I am working on a python app that generates mesh files that are imported in a blender project. I can take a screenshot of what the mesh file looks like and ask Claude code questions about the object, in context of a Blender file. It even built a test script that would generate the mesh and import it into the Blender project, and render a screenshot. It built me a vscode Task to automate the entire workflow and then compare image to a mock image. I found its understanding of the images almost spooky.

Claude Opus 4.5 can understand images: one thing I've done frequently in Claude Code and have had great success is just showing it an image of weird visual behavior (drag and drop into CC) and it finds the bug near-immediately.

The issue is that Claude Code won't automatically Read images by default as a part of its flow: you have to very explicitly prompt it to do so. I suspect a Skill may be more useful here.

Many people will have to ask themselves these question soon regardless of their actions. I don't understand the critique here.

I wonder who the managers are going to manage..

Same for me but with my language. US defaultism strikes again ;) https://archive.ph/dIVPO here is an archive link that works

Yeah, the harness quality matters a lot. We're seeing the same pattern at Gobii - started building browser-native agents and quickly realized most of the interesting workflows aren't "code this feature" but "navigate this nightmare enterprise SaaS and do the thing I actually need done." The gap between what devs use Claude Code for vs. what everyone else needs is mostly just the interface.

But they created GenMoji?!

Agree. Seems to me that if you need something like this to automate your workflow; it's your workflow that needs to change.

You can still do all these things manually. Now you just have the option not to.

I don’t think this is for _hard_ things but rather for repetitive tasks, or tasks where a human would bring no value. I’ve used Claude for Chrome to search for stays in Airbnb for example; something that is not hard but takes a lot of time to do by hand when you have some precise requirements.

It’s not that insincere if all the other attendees are just meeting-taking robots the end result of which will be an automated “summary of the meeting I attended for you” :)

How many people join meetings these days just to zone out and wait for the AI-produced summary at the end?

Can humans do nothing now? Is it that hard to pick the potatoes yourself? You already planted them in rows (nature already does this). is it that hard to water them yourself? also feels insincere to tell your neighbor you grew those potatoes when a machine did everything.

Isn't this like the "but rsync" comments on Dropbox launch? The vast majority of the addressable market doesn't know what a terminal is.

I've had a similar experience. My sense is that there's no way this isn't how eventually most of knowledge work at the computer is going to work. Not necessarily through a terminal interface, I expect UIs to evolve quite a bit in the next few years, but having an omnipotent agent in the loop to do all of the gluing and gruntwork for you. Seems inevitable.

I tend to think this product is hard for those of us who've been using `claude` for a few months to evaluate. All I have seen and done so far with Cowork are things _I_ would prefer to do with the terminal, but for many people this might be their first taste of actually agentic workflows. Sometimes I wonder if Anthropic sort of regret releasing Claude Code in its 'runs your stuff on your computer' form - it can quite easily serve as so many other products they might have sold us separately instead!

I wonder if this is what makes immutable package/installation management finally take off...

But it immediately forgets the results of step 1 by the time it hits step 3 (due to context rot) and starts inventing action items.

I know managers think this is all there is to “work”, but at some point someone need do those action items.

Lmao its actually cute watching Anthropic and its employees desperately finding a way to stuff this into peoples lives - the reality is most people dont give a hoot about this stuff.

The folks working at these technology firms just dont get what the average person - who makes up most of the population - wants. They produce this fluffy stuff which may appeal to the audience here - but that market segment is tiny.

Also the use case of organising a desktop rocked me off my chair. LMAO!

Firefox reader mode also helps

> Basic ideas are minimal privilege per task in a minimal and contained environment for everything and heavy control over all actions AI is performing.

The challenge is that no application on desktop is built around these privileges so there's no grant workflow.

Are you bytecode analysing the kernel syscalls an app makes before it runs? Or will it just panic-die when you deny one?

There are lots of similar tools to Claude Code where a local executor agent talks to a remote/local AI. For example, OpenCode and Aider both support local models as well as remote (e.g. via OpenRouter).

works fine for me, what's the matter?

> For most people

Most people have no idea what a terminal is.

Most people working office jobs are scared of the terminal though. I see this as not being targeted at the average HN user but for non-technical office job workers. How successful this will be in that niche I'm not certain of, but maybe releasing an app first will give them an edge over the name recognition of ChatGPT/Gemini.

Doesn’t look like it is https://status.claude.com/

Not sure if this correct. Codex was one of the first research projects long before Anthropic was started as a company. May be they did not see it as a path to AGI. It seems like coding is seen by few companies as the path to general intelligence (almost like Matrix where everything is code).

Depends if the job requires a lot of information and the person is excellent at what they do, bc then AI augments the worker more than substitutes them.

But for many people, yes, AI will mostly substitute their labor (and take their job, produce operating margin for the company).

It's funny how easy Plan 9 would make all this. Just mount the work dir as readonly in Cowork's filesystem namespace and mount a write-only dir for output.

We can still do this via containers, though. But it does have some friction.

> I'm a bit shocked to see so many negative comments here on HN. Yes, there are security risks and all but honestly this is the future. It's a great amplifier for hackers and people who want to get stuff done.

TBH this comment essentially reads as "other commenters are dumb, this is the future b/c I said so, get in line".

No, this doesn't need to be the future. There's major implications to using AI like this and many operations are high risk. Many operations benefit greatly from a human in the loop. There's massive security/privacy/legal/financial risks.

So people shouldn't say their opinion because your opinion says its the future? Is all future good? I don't think a great hacker would struggle to organise their desktop or they will waste their team's time with AI generated deck but no one can stop others from using it.

> Yes, there are security risks and all but honestly this is the future.

That’s it? There are security risks but The Future? On the one hand I am giving it access to my computer. On the other hand I have routine computer tasks for it to help with?

Could these “positive” comments at least make an effort? It’s all FOMO and “I have anecdotes and you are willfully blind if you disagree”.

> I'm a bit shocked to see so many negative comments here on HN.

Very generally I suspect there are many coders on HN who have a love hate relationship with a tool (claude code) that has and will certainly make many (but not all) of them less valuable given the amount of work it can do with even less than ideal input.

This could be a result of the type of coding that they do (ie results of using claude code) vs. say what I can and have done with it (for what I do for a living).

The difference perhaps is that my livlihood isn't based on doing coding for others (so it's a total win with no downside) and it's based on what it can do for me which has been nothing short of phemomenal.

For example I was downvoted for this comment a few months ago:

https://news.ycombinator.com/item?id=45932641

Just one reply (others are interesting also):

"HN is all about content that gratifies one’s intellectual curiosity, so if you are admitting you have lost the desire to learn, then that could be triggering the backlash."

(HN is about many things and knowing how others think does have a purpose especially when there is a seismic shift that is going on and saying that I have lost the desire to learn (we are talking about 'awk' here is clearly absurd...)).