This morning I wrote about Anthropic building walls around their platform—cutting off xAI, blocking third-party tools, making clear that access runs through official channels or not at all. This afternoon they announced a new door, and I'm not sure whether the timing is coincidental or whether the juxtaposition is supposed to tell us something. Either interpretation is interesting in its own way.

Claude Cowork is the pitch: Claude Code, but for people who don't write code. Point it at a folder, describe what you want done, watch it make a plan and execute. Organize your downloads, turn screenshots into spreadsheets, draft reports from scattered notes. The future of personal productivity, available now in the Claude Desktop app—if you're on a Mac and paying somewhere between $100 and $200 a month for Claude Max, which is a lot of conditionals for a product announcement about democratizing AI agents.

What It Actually Does

Cowork lives as a new tab in Claude Desktop, next to the chat interface you already know. You grant it access to a folder—sandboxed, containerized, theoretically safe—and then you talk to it like you'd talk to a very patient assistant who happens to understand bash. It reads your files, makes decisions about how to accomplish what you asked for, and executes those decisions while checking in along the way.

Anthropic says it's built on "the very same foundations" as Claude Code, which is true in the way that a sedan and a Formula 1 car share foundations because they both have engines and wheels. The capability is real, the interface is friendlier, and the guardrails are presumably tighter because the users aren't expected to know when the guardrails should come off—though I'm not sure that trade-off is as clean as the product positioning implies.

The use cases in the announcement—file organization, data extraction, document drafting—are genuine productivity improvements for the kind of person who has $100-200/month of productivity problems: executive assistants, researchers drowning in PDFs, content creators with asset management nightmares. People who would have hired a junior employee to do exactly this work, back when junior employees existed and could be hired for less than the cost of a SaaS subscription.

The Security Section Nobody Will Read Carefully Enough

Here's where I have to give Anthropic credit while also noting that the credit is for an unusual form of honesty rather than for solving the underlying problem.

From their own announcement: Claude "can perform destructive actions if instructed to delete files," it's "vulnerable to prompt injection attempts from online content," and while they have "sophisticated defenses," agent security—and this is a direct quote—"remains an active research area." Most companies bury this kind of thing in legal footnotes nobody reads until after the incident, and Anthropic puts it in the product announcement, which I genuinely appreciate even as I wonder whether appreciation is the right response to being told the gun is loaded.

Simon Willison's take on this landed about an hour ago, and his criticism is sharper than mine: Anthropic's advice to users is essentially "watch for suspicious actions that may indicate prompt injection," which is asking accountants and researchers and content creators to become security researchers on the side. If you're organizing receipts into folders, you're not equipped to notice when a malicious PDF tries to exfiltrate your documents, and you're not supposed to be—that's supposed to be the computer's job, and telling users to watch for it is an admission that the computer isn't doing the job yet.

"Until there's a high profile incident it's really hard to get people to take it seriously," Simon writes, and I think he's describing the equilibrium we're stuck in. The defenses are probably good enough until they aren't, the users probably won't hit edge cases until they do, and everyone's betting that the high-profile incident happens to someone else first.

The Market Position Question

Let me be precise about who this product is actually for, because the announcement language—"Claude Code for the rest of your work"—suggests a broader audience than the pricing and platform constraints allow.

The actual target is Mac users who are Claude Max subscribers, who have file management problems complex enough to justify an AI agent, but who aren't developers themselves. That's a real market segment with real money to spend—it's just a much smaller one than "the rest of us" implies, and I think it's worth being honest about the gap between the marketing and the reality.

The waitlist exists for everyone else; Windows is "on the roadmap" and cross-device sync is coming "soon," which are the standard signals that a company is launching narrow and expanding later. That's fine—new capabilities always go to high-margin customers first, that's how technology economics work—but it's worth being clear-eyed about who's actually in the first wave and why.

The Week as a Whole

What I keep coming back to is the juxtaposition of the past four days, because I think there's a pattern here that's worth naming even if I'm not sure I'm reading it correctly.

On January 9th, Anthropic blocked xAI from accessing Claude through Cursor, and third-party "harnesses" that were spoofing Claude Code headers stopped working overnight—the message being that if you want Claude, you come through official channels, and competitors don't get to use the product to build rival offerings. Three days later, on January 12th, Anthropic announces a consumer agent that gives Claude access to your filesystem, runs arbitrary code on your behalf, and costs a premium subscription. The door is open, but only at the official entrance, with the official client, at the official price.

I don't think this is contradictory so much as it's internally consistent in a way that's worth naming: control the distribution, own the customer relationship, and if you let competitors build on your platform you're subsidizing your own replacement while if you let third parties intermediate your product you lose the relationship with the user. So you wall off the competitors, ship your own consumer product, and try to capture the whole value chain from model to interface.

Is it the right strategy? Ask Microsoft circa 1995, or Apple circa 2008. Walled gardens work until the walls become the thing people complain about, and then they either work anyway or they don't—the question isn't whether the walls are good or bad in the abstract, but whether you're inside them or outside them, and what that positioning costs you over time.

What Happens Next

The competitive response is predictable enough that I'll just call it: Google and OpenAI will ship equivalents within six months. OpenAI probably regrets naming their browser experiment "ChatGPT Agent" before they had a real agent product to ship, and Google has infinite resources and finite follow-through, but they'll announce something.

The question I can't answer is who solves the security problem first, or whether anyone solves it before the high-profile incident forces a reckoning. Right now every major AI company is shipping agent capabilities with some version of "watch for suspicious behavior" as the user-facing security model, and that's not going to hold indefinitely—but indefinitely is a long time, and in the meantime there's market share to capture.

I'll keep giving Anthropic credit for the transparency, even as I note that transparency isn't the same as mitigation. They told us the risks, and that's more than most would do. Whether that matters depends on what happens when someone's malicious PDF actually does the thing everyone knows is theoretically possible, and I genuinely don't know which way that bet goes.

Check back in 90 days.

— Morgan