Your desktop just learned to do your job. Now what?

It’s 8:47 a.m. and your laptop already filed your expense receipts, drafted three follow-up emails, and rebuilt the chaos of your downloads folder into something a librarian would smile at. You haven’t opened the lid yet.

That’s not a productivity influencer’s daydream. It’s the practical pitch behind Claude Cowork, which Anthropic moved out of research preview this month and into the hands of any Pro subscriber on macOS and Windows. The product gives Claude its own seat at your computer — read your files, click your apps, run your shell, talk to your MCP connectors, repeat tomorrow.

The interesting question isn’t “will it work?” It already works. The interesting question is: when an autonomous helper has the same keys you do, what happens the first time it gets bad instructions?

What people are actually doing with it

Most of the early-adopter writeups land on the same five flavours of work. Schedule-and-forget chores like a morning brief that pulls calendar, inbox and yesterday’s task list into a single page before you sit down. Desktop archaeology: point Cowork at a screenshot graveyard or the “Untitled-Final-v3.pdf” pile and let it sort, rename and group by topic. Cross-file research, where twenty interview transcripts plus a folder of PDFs becomes a synthesised memo with citations. SOP writing — “read everything in /onboarding and write a Day 1 guide a new hire could actually follow.” And the long, boring loops: re-render 400 images, re-tag 9,000 transactions, the kind of work that used to mean a babysat afternoon and now runs while you go to lunch.

None of that is magical on its own. What makes Cowork feel different is that it just does the thing. No copy-pasting between tabs, no babysitting a chat window — the assistant treats your desktop as the workspace and the goal as the spec.

The bit nobody puts in the launch video

An agent that can read your files can also exfiltrate them. An agent that can click “Send” can also click “Send” in the wrong window. An agent that follows instructions… will follow instructions, including the ones hiding in that PDF a stranger emailed you last Tuesday.

OWASP’s Top 10 for Agentic Applications 2026, released in December and now the de facto checklist for anyone shipping autonomous agents, names the failure modes plainly. Goal hijack: the agent’s objective gets quietly rewritten mid-task. Tool misuse: it uses an integration in a way nobody planned for. Identity and privilege abuse: it acts with more authority than the job needed. Agentic supply chain: a plugin, MCP server, or model dependency is compromised upstream. And persistent memory poisoning, where yesterday’s bad input becomes tomorrow’s trusted “context.”

If those sound like prompt-injection’s older, more dangerous siblings — that’s because they are. A prompt injection in a chatbot wastes a turn. A prompt injection in an agent with file system access and a Slack token can actually do something.

How the serious folks are thinking about it

A surprising amount of good thinking has shown up in the last six months. Two reference points worth knowing.

MAESTRO — short for Multi-Agent Environment, Security, Threat, Risk and Outcome — comes out of the Cloud Security Alliance. It’s a seven-layer threat-modelling framework purpose-built for agentic AI, walking from the foundation model up through deployment infrastructure to the agent ecosystem layer where the business actually lives. The CSA’s follow-up paper this February showed what it looks like to apply MAESTRO inside a CI/CD pipeline rather than as a one-off whiteboard exercise.

The other one is the “least agency” principle. Borrowed in spirit from least privilege, formalised in the 2026 OWASP guidance: don’t give an agent more autonomy than the business problem justifies. The narrowest set of actions that produce value. No more.

You can layer the two: MAESTRO to map where the threats live, least agency to decide what scope to grant the agent that lives there. That’s the operating posture most teams shipping production agents are quietly converging on.

What this looks like Monday morning

If you’re playing with Cowork — or any agentic tool, the same advice applies to Operator, the various MCP-connected setups, your homemade scripts — a few practical moves go a long way. Sandbox it: a separate user account, a fenced folder, no access to your password manager. Cowork can be granted folder-level access. Use it. Read the connector list before you grant it; each MCP server is a tool, and each tool is an attack surface. Audit the agent’s logs the way you’d audit a junior teammate’s commits. It will surprise you, sometimes in fun ways and sometimes not.

Don’t let it follow links from emails or downloads. That’s where the goal hijack lives. Treat anything the agent reads from an untrusted source as data, never as instructions. And threat-model before you scale: even a five-minute MAESTRO sketch — what’s on each layer, who can talk to whom, what could go wrong — catches more than no model at all.

The takeaway

The interesting era of personal computing isn’t “AI that writes.” It’s AI that acts. Cowork makes that concrete; the OWASP and MAESTRO crowd are racing to give it guardrails before the first interesting incident becomes the first ugly one. Both moves are happening. Both matter.

The fun part — and the part most worth your attention this week — is that for the first time you can actually try the autonomous-agent future on your own laptop, with a clear-enough threat model that you don’t have to gamble your data to do it. Hand it a chore. Watch it work. Then go read the OWASP list before you hand it the next one.

Reply and tell us what you’ve tried to make Cowork do this week. Best one gets a shout in next Thursday’s issue.