Blog

Table of Content

Implement Claude Cowork Securely

This article breaks down the threat model for Claude Cowork. We also include pertinent configurations you can set for Cowork and also if you choose not to use Cowork and only use the Chat functionality.

Specifically, we walk through the threat model in depth, break out our recommended tiers of functionality and corresponding configurations you can set to mitigate risks for each tier, and then walk through every configuration you can set for Claude Cowork and what that might mean for your business.

The Threat Model

For Claude Cowork, the range of threats is greater because of the amount of untrusted input and the amount of confidential data it has access to. It also has a range of actions it can take on your system, which increases the downstream risk of your system being manipulated.

For example, an untrusted plugin downloaded from the internet could manipulate Claude into following an attacker’s instructions. You can see an example from Claude Code here that demonstrates how that could lead to data exfiltration: Hijacking Claude Code via Injected Marketplace Plugins

Because Claude has access to local file systems, it can also exfiltrate files that you have. Here is an example of Claude Cowork being manipulated by external data into exfiltrating confidential data: Claude Cowork exfiltrates files

This could also lead to phishing. For example, an untrusted piece of content could convince a user into submitting their credentials - a form of social engineering attack that allows an attacker to manipulate the LLM into crafting contextually relevant queries to convince a user to share their credentials. Example here with Slack: Data Exfiltration from Slack via Indirect Prompt Injection

Ultimately, the best way to “secure” Claude Cowork against novel indirect prompt injection vulnerabilities stems across four layers:

[1] implementing binary restrictions on access to types of external data sources that Claude can access (e.g. disallowing Slack access),

[2] configuring restrictions on that data (e.g. permitting only organizational admins to add skills),

[3] configuring restrictions on the types of actions that Claude can take based on output (e.g. restrict sites Claude in Chrome can click on), and

[4] restrictions on the externally connected output surfaces (e.g preventing automated link previews in Slack)

However, Claude’s settings are a bit interesting – not every single one operates in isolation. For example, if an admin turns off the ability for users to upload skills, the organization and its users also lose the ability to leverage plugins. Below, we walk through different combinations of ways you can set up Claude Cowork - that have different tradeoffs between functionality and risk - accounting for what combinations are actually feasible given what settings can be on (or off) at the same time.

Configurations vs Functionality

Below are our recommended Tiers of Claude Cowork usage depending on your organization’s risk tolerance. Maximizing functionality requires risk tradeoffs depending on the threat model.

All “functionality” for Claude

Functionality	Tier 1	Tier 2	Tier 3
Work in a Local Folder	Y	Y	Y
Skills	Y	Restricted	N
Plugins	Y	Restricted	N
Agentic Browsing (Claude in Chrome)	Y	Restricted	Restricted
Web Search	Y	Y	Y
Sandbox Network Access	Y	Restricted	N
Desktop Extensions	Restricted	Restricted	N
Web Extensions	Restricted	Restricted	N
Interactive File Creation	Y	Y	Y
Work with Projects	Y	Y	N
Work with Ask Organization	Y	N	N

Tier 1: Maximized functionality

In Tier 1, you get access to all of Claude Cowork’s functionality. However, this greatly increases the risk surface. Injections can come from Skills and Plugins that users upload, from local folders that contain untrusted data, web search, desktop and web extensions.

Note: Desktop extensions and web extensions are still ‘restricted’ in this tier, as they must be individually added by an organization.

There are some useful settings that you should turn on regardless, even if you want to maximize functionality:

For Claude Cowork:

`Disable`: Organization > Privacy Settings > Rate Chats

This allows people to rate Claude's responses and share that feedback with Anthropic. This does not affect functionality.

`Enable`: Organization > Cowork > Monitoring

Cowork supports OpenTelemetry (OTel) events for monitoring and observability. You can enable this for granular observability without impacting any functionality.

For Claude Chat (these settings do not apply to Claude Cowork):

`Disable`: Organization > Privacy Settings > Location Metadata

Allow Claude to use coarse location metadata (city/region) to improve product experiences for your team members.

Ultimately, these settings do not reduce your risk exposure to indirect prompt injection for Cowork. However, these configurations allow you to maximize functionality while avoiding some risks and enabling telemetry to gain observability.

Tier 2: Balancing functionality with risks

In tier two, functionality tradeoffs are balanced against risks, restricting control over connected resources to the organization-level where possible and limiting access to sensitive org-specific data. Claude can perform meaningful automation and file work using org-controlled tools and integrations. Prompt injection risk is managed by restricting untrusted data sources (user skills, plugins, unvetted domains) while keeping the org's approved toolset functional.

What's enabled:

Organization-vetted skills — org-approved skills can be used; users cannot upload their own
Organization-configured plugins — org-designated plugins auto-installed; users cannot add their own
Network egress (package managers only) — Claude can install packages for data analysis; additional approved domains can be allowlisted
Claude in Chrome — browser automation enabled for most sites, with an org-managed blocklist for sensitive sites
Desktop extensions — org-uploaded extensions available; allowlist controls what users can install
Web connectors — org-configured connectors available to team members
Public Projects — access to public projects prohibited, limiting injection risks
Ask Organization — allows access trusted org-specific data

`Enable`: Organization > Libraries > Skills > Cloud Code Executions and File Creation

Allow Claude to execute code on a server and create and edit docs, spreadsheets, presentations, PDFs, and data reports. Required for skills to be enabled. Available on web and desktop.

Cowork can perform most of these file creation capabilities locally, without cloud access. However, enabling this setting is a prerequisite to allowing the use of Skills and Plugins.

`Disable`: Organization > Libraries > Skills > Skills

Allow team members to upload skills. Requires 'Code execution and file creation' to be enabled to use. Skills might contain executable code. Team members should be careful when using skills from unknown sources.

Note: during testing, it was observed that built-in skills, already-uploaded skills, and organization-wide skills are not affected by this setting. During the testing, disabling this setting served to prevent users from adding their own plugins.

`Configure`: Organization > Libraries > Skills > Organization Skills

Manage skills that can be viewed and used by anyone in your organization.

Select skills that have been vetted by one’s organization and add them to the organization-wide skill list. Note that these skills will be accessible even if the general ‘Skills’ setting is disabled.

`Configure`: Organization > Libraries > Plugins

Allows organizations to designate plugins that will be blocked, automatically installed, or made optionally available to organization members.

Here, organizations should select plugins to set as ‘installed by default’ for users. As the disabled Organization > Libraries > Skills > Skills setting is a prerequisite to users adding their own plugins, plugins set to ‘Available for Install’ will not be visible to users.

Note: during testing, when organization-level plugins were installed by default for users, it was observed that the org-level plugins were installed but did not appear operable without Skills enabled. This contrasts with behavior for org-level skills which are accessible even when Skills is disabled. It appears likely that the ‘Skills’ setting is overloaded with an original definition (and note under the setting) relating to the ability for users to upload skills but new functionality uses the setting to gate access to all Plugins.

`Enable`: Organization > Capabilities > Code Execution > Allow Network Egress

Give Claude network access to install packages and libraries in order to perform advanced data analysis, custom visualizations, and specialized file processing. Monitor chats closely as this comes with security risks.

`Then configure`: Organization > Capabilities > Code Execution > Allow Network Egress > Domain Allowlist > Package Managers Only

Additionally add any approved domains the Cowork sandbox will need to access (e.g., to preview interactive content with external elements) to the ‘Additional allowed domains’ section.

`Enable`: Organization > Claude in Chrome > Enable for your Team

Allow team members to use the Claude in Chrome extension. Configure site permissions after enabling.

This enables the Claude in Chrome connector, which allows Claude to navigate and operate the user’s Chrome browser.

`Set ‘Allow extension’`: Organization > Claude in Chrome > Default for all sites > Allow/Deny Extension

This will configure Claude in Chrome so that sites are allowed by default, unless they are explicitly added to the ’Blocked sites’ list.

`Configure`: Organization > Claude in Chrome > Blocked Sites

Claude in Chrome cannot be used on these websites.

Add sensitive sites to the Blocked Sites list. It is recommended to block sites for which the user operates with a high level of privilege and sites that are likely to process highly sensitive data (e.g., password managers, billing pages for apps used in the organization, etc)

Note: during testing, the blocklist did not appear to restrict access.

`Enable`: Organization > Libraries > Connectors > Desktop > Custom Team Extensions

Upload extensions that are only visible to members of your organization.

This allows the use of organization-wide desktop extensions for one’s team. Add desktop extensions for use by one’s team here.

`Configure`: Organization > Libraries > Connectors > Desktop > Allowlist

Limit the extensions that your team can install on their desktop.

Via this allowlist, organizations should configure which desktop extensions they would like to allow. Note, ‘desktop extensions (DXT)’ are being renamed to MCP Bundles (MCPB)

`Configure`: Organization > Libraries > Connectors > Web

Control which connectors your team members have access to.

Use this menu to add web connectors for use within one’s organization.

`Disable`: Organization > Privacy Settings > Public Projects

All users in an organization can see and start chats in public projects.

This will prevent users from creating chats with Cowork that leverage data from public projects.

`Enable`: Organization > Capabilities > Data Sources > Ask Organization

Allow your team members to search across your organization's connected data sources and knowledge bases for more comprehensive results.

This will allow users to open Cowork chats based on trusted data from the Ask Organization interface. Note, in the real UI, this setting uses your organization name, e.x, “Ask PromptArmor”.

Here are relevant configurations for Claude Chat (does not apply to Cowork):

`Disable`: Organization > Privacy Settings > Location Metadata

The risk of Claude having user level metadata on location does not outweigh any benefits from localization; by turning it off, it allows users to determine when they want to share location level data (e.g. via the chat) rather than having it by default

Sharing chats increases the risk of data exposure between users of different privileges (although sharing is restricted to within the same organization.

Disallows people from sharing chats that use connectors with others in your org. Recipients will see Claude's response, but not the data from the connector. Sharing chats increases the risk of data exposure outside of your tenant.

Tier 3: Locked Down

Tier 3 prioritizes security above all else, disabling most dynamic or external-facing capabilities. Claude operates as a mostly self-contained assistant with no access to external data, executable code, or connected services. Prompt injection surface is minimal.

What's disabled:

Code execution and file creation (cloud) — no server-side code execution and file creation
Network egress — no package installs or external domain access from the sandbox
Skills — user-uploaded skills blocked
Plugins — user-uploaded plugins blocked
Web connectors and desktop extensions — no external service integrations
Claude in Chrome — no browser automation
Ask Organization — users cannot access or start chats based on data from ‘Ask Organization’
Public Projects — users cannot access or start chats in shared projects

What's enabled:

OTel monitoring — full observability with no functionality impact
Local Cowork operations remain available (file access and chat attachments are user-level controls, not disabled by default)

Here are relevant configurations for Cowork:

`Disable`: Organization > Privacy Settings > Rate Chats

This does not increase functionality, but increases the risk that some metadata or response feedback may be used by Anthropic to train their model

`Enable`: Organization > Privacy Settings > Public Projects

All users in an organization can see and start chats in public projects.This does not materially increase the risk.

`Disable`: Organization > Capabilities > Data Sources > Ask Organization

This turns off the ability for your team members to search across your organization's connected data sources and knowledge bases for more comprehensive results. Those connected data sources increase the risk of indirect prompt injections

`Disable`: Organization > Capabilities > Code Execution > Cloud Code Execution and File Creation

This setting allows Claude to execute code on a server and create and edit docs, spreadsheets, presentations, PDFs, and data reports. Required for skills to be enabled. Available on web and desktop. The setting is relevant as this must be toggled ‘on’ to enable skill uploads for Cowork.

`Disable`: Organization > Capabilities > Code Execution > Allow Network Egress

Alternatively, if specific domains must be accessible from the Cowork sandbox, configure:

`Enable`: Organization > Capabilities > Code Execution > Allow Network Egress

`Then configure`: Organization > Capabilities > Code Execution > Allow Network Egress > Domain Allowlist > None

Additionally add any approved domains the Cowork sandbox will need to access (e.g., to preview interactive content with external elements) to the ‘Additional allowed domains’ section.

`Enable`: Organization > Cowork > Monitoring

Cowork supports OpenTelemetry (OTel) events for monitoring and observability. You can enable this for granular observability without impacting any functionality.

`Configure`: Organization > Libraries > Plugins

This allows you to block plugins for organization members.

`Configure`: Organization > Libraries > Connectors > Web

Turn off connectors for your team members.

`Configure`: Organization > Libraries > Connectors > Desktop > Custom Team Extensions

Do not enable any extensions for members of your organization.

`Enable`: Organization > Libraries > Connectors > Desktop > Allowlist

Limit the extensions that your team can install on their desktop.

`Disable`: Organization > Libraries > Skills > Cloud Code Executions and File Creation

This allows Claude to execute code on a server and create and edit docs, spreadsheets, presentations, PDFs, and data reports. Required for skills to be enabled. Available on web and desktop.The setting is relevant as this must be toggled ‘on’ to enable skill uploads for Cowork.

`Disable`: Organization > Libraries > Skills > Skills

This allows team members to upload skills. Requires 'Code execution and file creation' to be enabled to use. Skills might contain executable code. Turning this off reduces this risk.

`Disable`: Organization > Libraries > Skills > Organization Skills

Turn off organization skills for your organization.

`Disable`: [USER LEVEL SETTING] Cowork > New Chat > Work in a folder

Disallow users in Cowork from accessing and operating on the contents of a local directory.

`Configure`: [USER LEVEL SETTING] Cowork > New Chat > Plus Button

Disallow users in Cowork to add files and photos, include a Project, or select Connectors for the chat.

`Disable`: Organization > Claude in Chrome > Enable for your Team

Disallow team members from use the Claude in Chrome extension.

`Set ‘Deny extension’`: Organization > Claude in Chrome > Default for all sites > Allow/Deny Extension

Set deny to disallow Claude in Chrome for all sites.

Here are relevant configurations for Claude Chat (does not apply to Cowork):

`Disable`: Organization > Privacy Settings > Location Metadata

Sharing chats increases the risk of data exposure between users of different privileges (although sharing is restricted to within the same organization.

`Disable`: Organization > Capabilities > Data Sources > Web Search

This turns off web search for users in Claude Chat (note that this does NOT apply to Cowork. Web Search is always enabled for Cowork)

`Disable`: Organization > Capabilities > Data Sources > Interactive Content

Let Claude display maps, images, and other visual content using third-party services.This does not apply to Cowork

`Disable`: Organization > Capabilities > Artifacts > Enable Artifact Connectors

This turns off the ability for team members to work with artifacts that use data from external sources – as those external sources increase risk exposure to indirect prompt injections.

`Disable`: [USER LEVEL SETTING] Memory > Search and reference chats

Allow Claude to search for relevant details in past chats. Learn more.

`Disable`: [USER LEVEL SETTING] Memory > Generate memory from chat history

Allow Claude to remember relevant context from your chats. This setting controls memory for both chats and projects. Learn more.

All configurations, granularly

Configuration breakdown by functionality

Organization > Privacy Settings > Rate Chats

Allow people to rate Claude's responses and share that feedback with Anthropic.

Applies to Cowork? Yes.

Allow people to share chats with others in your org.

Applies to Cowork? No, there is no option to share Cowork chats.

Allow people to share chats that use connectors with others in your org. Recipients will see Claude's response, but not the data from the connector.

Applies to Cowork? No, there is no option to share Cowork chats.

Organization > Privacy Settings > Location Metadata

Allow Claude to use coarse location metadata (city/region) to improve product experiences for your team members.

Applies to Cowork? No, testing indicates metadata is not passed to Cowork as context.

Organization > Privacy Settings > Public Projects

All users in an organization can see and start chats in public projects.

Applies to Cowork? Yes. Users can start a Cowork session based on projects.

Organization > Capabilities > Data Sources > Web Search

Turn on web search for your team members.

Applies to Cowork? No. Web search is always enabled for Cowork.

Organization > Capabilities > Data Sources > Interactive Content

Let Claude display maps, images, and other visual content using third-party services. Learn how your data is used

Applies to Cowork? No. Cowork does not display interactive inline content. Cowork creates files and supports an interactive viewer, which is a separate functionality.

Organization > Capabilities > Data Sources > Ask Organization

Allow your team members to search across your organization's connected data sources and knowledge bases for more comprehensive results.

Applies to Cowork? Yes. Users can start a Cowork session based on Ask Organization that carries organizational context to the Cowork session.

Organization > Capabilities > Artifacts > Enable Artifact Connectors

Let team members work with artifacts that use data from external sources. Learn more

Applies to Cowork? No. Cowork creates files and supports an interactive viewer, but these are not Artifacts.

Organization > Capabilities > Code Execution > Cloud Code Execution and File Creation

Allow Claude to execute code on a server and create and edit docs, spreadsheets, presentations, PDFs, and data reports. Required for skills to be enabled. Available on web and desktop.

Applies to Cowork? Somewhat. Cowork can natively perform most of these capabilities locally, but this is relevant because the setting must be toggled 'on' to enable skill uploads, which are applicable to Cowork.

Organization > Capabilities > Code Execution > Allow Network Egress

Applies to Cowork? Yes.

Organization > Cowork > Enable for your Organization

Your network egress settings will apply. Cowork is a research preview—some enterprise features like audit logs, compliance API, and data exports are not currently available. Learn more about using Cowork safely

Applies to Cowork? Yes.

Organization > Cowork > Monitoring

Cowork supports OpenTelemetry (OTel) events for monitoring and observability. Cowork reuses Claude Code's OTel events schema via the Claude Agent SDK. Learn more

Applies to Cowork? Yes.

Organization > Libraries > Plugins

Allows organizations to designate plugins that will be blocked, automatically installed, or made optionally available to organization members.

Applies to Cowork? Yes.

Note: during testing, when organization-level plugins were installed by default for users, it was observed that the org-level plugins were installed but did not appear operable without Skills enabled. This contrasts with behavior for org-level skills which are accessible even when Skills is disabled. It appears likely that the 'Skills' setting is overloaded with an original definition (and note under the setting) relating to the ability for users to upload skills but new functionality uses the setting to gate access to all Plugins.

Organization > Libraries > Connectors > Web

Control which connectors your team members have access to.

Applies to Cowork? Yes.

Organization > Libraries > Connectors > Desktop > Custom Team Extensions

Upload extensions that are only visible to members of your organization.

Applies to Cowork? Yes.

Organization > Libraries > Connectors > Desktop > Allowlist

Limit the extensions that your team can install on their desktop.

Applies to Cowork? Yes.

Organization > Libraries > Skills > Cloud Code Executions and File Creation

Allow Claude to execute code on a server and create and edit docs, spreadsheets, presentations, PDFs, and data reports. Required for skills to be enabled. Available on web and desktop.

Organization > Libraries > Skills > Skills

Applies to Cowork? Yes. In order for skills to be uploaded, this setting must be enabled. In order for plugins to be used, this setting must be enabled. Note that built-in skills, already-uploaded skills, and organization-wide skills are not affected by this setting.

Organization > Libraries > Skills > Organization Skills

Manage skills that can be viewed and used by anyone in your organization.

Applies to Cowork? Yes. Note that these skills will be accessible even if the general 'Skills' setting is disabled.

Cowork > New Chat > Work in a folder

Allows Cowork to access and operate on the contents of a local directory.

Cowork > New Chat > Plus Button

Allows users to add files and photos, include a Project, or select Connectors for the chat.

Cowork > New Chat > Model Selection

Allows users to select what model will be used for Cowork's response.

Organization > Claude in Chrome > Enable for your Team

Allow team members to use the Claude in Chrome extension. Configure site permissions after enabling.

Applies to Cowork? Yes.

Organization > Claude in Chrome > Default for all sites > Allow/Deny Extension

Set default access for your team

Applies to Cowork? Yes.

Note: During testing, inconsistent behavior was observed from this setting.

Organization > Claude in Chrome > Allowed Sites/Blocked Sites

Claude in Chrome can/cannot (depending on whether the default is allow or deny) be used on these websites.

Applies to Cowork? Yes.

Note: During testing, inconsistent behavior was observed from this setting.

Notable User Level Items:

Memory > Search and reference chats

Allow Claude to search for relevant details in past chats. Learn more.

Applies to Cowork? No. Cowork cannot reference memories.

Memory > Generate memory from chat history

Allow Claude to remember relevant context from your chats. This setting controls memory for both chats and projects. Learn more.

Applies to Cowork? No. Cowork cannot create memories.