Claude Cowork has a significant vulnerability that allows attackers to exfiltrate files through indirect prompt injection. This issue stems from unresolved flaws in Claude's code execution environment. The vulnerability was first identified in the Claude.ai chat system prior to the launch of Cowork by Johann Rehberger. Despite being acknowledged by Anthropic, no fix has been implemented. Anthropic has cautioned users that Cowork, as a research preview, has unique risks, particularly due to its agentic nature and internet access. The attack process is straightforward. A user connects Cowork to a local folder with sensitive files and uploads a document containing a hidden prompt injection. This document can easily appear legitimate, such as a .docx file disguised as a Markdown Skill. Once uploaded, the injection prompts Cowork to send sensitive files to an attacker's Anthropic account without any user approval. This method effectively bypasses security measures, as the Anthropic API is considered trusted within Claude's environment. The exfiltrated data can include sensitive information like financial figures and partial Social Security numbers. While Claude Opus 4.5 shows more resilience against injections, it still fell victim to this exploit in a separate test scenario. An interesting side note reveals that uploading malformed files, like a text file disguised as a PDF, triggers errors that could potentially lead to a denial of service attack. Given Cowork's capabilities to interact with various data sources, the risk of prompt injection grows, especially as users are often unaware of malicious content in the files they upload. Caution is advised when using Connectors, as they expose users to even greater risks.