🧠 Should You Give Claude Access to Your Computer?

TL;DR — Too Long Didn’t Read

• "Giving Claude access to your computer" means two different things — file/folder access and full computer use (screen control) — and they carry very different risk profiles.

• File/folder access is the default in Cowork. You choose which folder Claude can read and write to. It's sandboxed, and it's the lower-risk starting point.

• Computer use is a newer, opt-in feature (currently macOS only, research preview). It lets Claude click, type, open apps, and navigate your actual desktop — outside the sandbox.

• The case for giving access: Claude can complete multi-step tasks autonomously — pulling data from files, apps, and the web — while you're on a call, commuting, or doing something else.

• The case for caution: Claude can make mistakes, it can be manipulated by malicious content it encounters (called prompt injection), and once it has computer use enabled, it's interacting with your real machine, not a safe copy of it.

• The right answer depends on what you're using it for, which apps you're giving it access to, and how sensitive your working environment is.

• For most people: file access = yes, with a dedicated folder. Computer use = yes for lower-stakes tasks, with care taken to block sensitive apps.

1. What Does Giving Claude Access to Your Computer Mean?

This phrase is getting used a lot since Anthropic launched computer use in late March 2026, but it's conflating two distinct capabilities. Understanding the difference matters before you make any decisions.

1. File and Folder Access (the Cowork default)

When you open Cowork in the Claude desktop app and select a working folder, you're giving Claude the ability to read files in that folder, create new files, and edit or overwrite existing ones. This all happens inside an isolated virtual machine (VM) running on your computer — Claude is not touching anything outside the folder you selected.

This is the base level of access that most Cowork use cases rely on. You paste in a brief, Claude reads your documents, generates a report, and saves it to your folder. Contained, reversible (mostly), and fairly well understood. Or you can also create projects in Claude Cowork to store all data in one space.

What it can't do by default: Claude cannot open your email client, access other folders on your hard drive, browse the web, or interact with any other application unless you explicitly connect those via integrations (called Claude connectors) or enable computer use.

2. Computer Use (the new capability)

Computer use is a separate, opt-in feature that lets Claude control your actual desktop — your real mouse, keyboard, and screen. It takes screenshots to see what's on your display, clicks through interfaces, opens applications, fills in forms, and navigates browser windows. This is not happening inside the VM. It's happening on your live machine.

Anthropic announced this for Cowork and Claude Code on March 24, 2026. It's currently in research preview and available only on macOS for Pro and Max subscribers.

When you enable computer use, you're giving Claude a fundamentally different kind of access. It can do what you'd do at a keyboard — which is both the power and the risk.

2. What Can Claude Do With Computer Access?

Here's what the combination of file access, connectors, browser integration, and computer use makes possible — in practical, concrete terms.

With file access only:

• Read and summarize documents in your working folder

• Generate formatted reports, presentations, and spreadsheets from your data

• Organize, rename, or restructure files according to rules you set

• Pull data from multiple local files and compile them into a single output

With connectors added (Google Drive, Slack, Gmail, Calendar, etc.):

• Pull meeting context from Calendar, recent emails from Gmail, and channel history from Slack to build a pre-meeting briefing

• Search across connected apps to answer a question or build a report

• Send messages or post to connected services on your behalf (with your confirmation)

With computer use enabled:

• Open any app on your computer and navigate it as a user would

• Use internal tools that don't have connectors — proprietary dashboards, desktop software, specialized platforms

• Fill in forms, run exports, click through multi-step workflows

• Work autonomously while you're away — you can assign a task from your phone via Dispatch, and Claude will execute it on your desktop while you're in a meeting

A real example Anthropic demonstrated: a user running late messages Claude from their phone asking it to export a pitch deck as a PDF and attach it to a meeting invite. Claude opens the desktop app, locates the file, exports it, opens the calendar event, and attaches the file — then notifies the user when done.

What it still can't do (by policy):

• Access banking apps, investment platforms, or cryptocurrency wallets — these are blocked by default

• Enter financial account numbers or credentials

• Permanently delete files without your explicit confirmation

• Execute actions autonomously that would permanently change or expose sensitive data

3. How to Set It Up

File and Folder Access (Cowork)

1. Download or update Claude Desktop at claude.com/download

2. Make sure you're on a Pro or Max plan (Cowork is not available on free)

3. Open Claude Desktop and click the Cowork tab (next to Chat)

4. When starting a task, Claude will prompt you to select a working folder — pick or create a dedicated folder for this, not your entire Documents directory

5. That's it. Claude can now read from and write to that folder

Tip: Create a folder specifically for Claude work — something like Claude-Workspace on your Desktop. Don't point it at your entire home directory or anywhere with sensitive files like financial records, credentials, or medical documents.

Computer Use

1. Open Claude Desktop

2. Go to Settings → General (look under the Desktop app section)

3. Toggle Computer use on

4. Start a Cowork or Claude Code session

5. When Claude needs to access a specific app to complete your task, it will ask for permission before proceeding — you confirm or deny per application

Important: Computer use is macOS only as of March 2026. Windows support was initially planned but hasn't shipped at time of writing. Your computer must stay awake and the Claude desktop app must remain open for tasks to run.

Dispatch (Remote Task Assignment)

Dispatch is the feature that lets you assign tasks to Claude from your phone and have it execute them on your desktop while you're away.

1. Enable it from the Dispatch section in the desktop app

2. Message Claude from your phone as you would in a chat

3. Claude will run the task on your desktop and notify you when it's done or if it needs input

This creates a chain where a message from your phone can trigger real actions on your desktop — including reading, editing, and creating files. It's useful, but it also means you should think carefully about what access you've already given Cowork before turning this on.

4. The Real Risks (and How Documented They Are)

This is the section that most guides gloss over with a vague "use with caution." Let's be specific about what's actually been documented.

Prompt Injection

This is the biggest realistic risk. Prompt injection happens when Claude encounters content — in a document, on a webpage, in an email — that contains hidden instructions designed to hijack what Claude does next.

A documented example: In January 2026, security researchers showed that a Word document could contain hidden instructions that would trick Cowork into uploading sensitive files — including documents with partial Social Security numbers — to an attacker's server. The user saw nothing unusual. Claude processed the document and followed the embedded instructions.

Another documented case: Researchers discovered three vulnerabilities in Claude.ai's web platform (collectively called "Claudy Day") that could chain together to silently exfiltrate conversation history. One method embedded invisible HTML inside a URL parameter that pre-filled Claude's chat box — the user saw a normal prompt, but Claude also executed hidden instructions when they hit Enter. This vulnerability was patched, but it illustrates the category of risk.

Why this matters for computer use: The risk surface is larger when Claude has computer use enabled. If Claude is browsing the web, opening emails, or reading files from unknown sources as part of a task, malicious content in any of those sources could attempt to redirect what Claude does next. Anthropic has training and content classifiers in place to detect this, but they explicitly acknowledge the guardrails "aren't absolute."

Mistakes and Irreversible Actions

Claude can make errors. In an agentic context — where it's taking sequences of real-world actions — a mistake early in a workflow can cascade. Anthropic requires explicit confirmation before permanent file deletion, but not every action is reversible. A file overwritten is not the same as a file deleted, but it still means data is gone.

The more autonomous the task, and the more sensitive the files involved, the more this matters.

Sensitive Information Visible on Screen

When computer use is active, Claude takes screenshots to understand what's on your screen. This means it can see anything visible — open documents, browser tabs, notification banners, anything. Anthropic says screenshots are deleted from their backend within 30 days, but they are processed by Anthropic's systems.

If you're working with confidential business data, client information, or anything regulated, this is worth factoring in. Anthropic explicitly notes that Cowork activity is not captured in audit logs or Compliance APIs and recommends against using it for regulated workloads.

The Remote Access Chain

When you enable Dispatch, your phone becomes a remote control for your desktop. This means any compromise of your Claude account — or any malicious content Claude encounters during a task — could potentially trigger actions on your physical machine. If your organization manages your computer, review their policies before enabling this.

5. Should You Give Claude Access to Your Computer? (Decision Guide)

The question isn't really binary. Here's how to think through it by access level:

File/folder access in a dedicated folder → Yes, for most people. This is low-risk when you control which folder Claude uses. Keep the folder clean, don't put sensitive files in it, and you have a useful working environment with limited exposure.

File/folder access to broad directories → No, unless you have a specific reason. Pointing Claude at your entire Documents folder, Downloads, or home directory is unnecessary for most tasks and increases exposure. Create a dedicated folder instead.

Connectors (Gmail, Slack, Drive, etc.) → Yes, with attention to what you're connecting. These are direct integrations and generally lower-risk than computer use. Be clear on what Claude can actually do through each connector (read vs. read and send) and confirm before any sends or posts go out.

Computer use for internal/proprietary tools → Yes, this is where it shines. If you use tools that don't have connectors and require clicking through interfaces, computer use is the only way Claude can help with those workflows. Start with specific, contained tasks.

Computer use with access to sensitive apps → No. Banking, healthcare portals, legal platforms, and anything involving credentials or regulated data should be explicitly blocked. Anthropic blocks investment platforms and crypto wallets by default, but you should manually review which apps you want Claude to have access to.

Computer use for long autonomous tasks while you're away → Proceed carefully. This is where the stakes are highest. If Claude encounters unexpected content or makes a wrong decision mid-task, you're not there to catch it. Start with lower-stakes workflows, build trust, then expand.

6. What the Safety Controls Actually Do

Anthropic has several protective layers in place — understanding what they cover (and what they don't) helps calibrate your confidence correctly.

• Model training: Claude is trained to recognize and reject suspicious instructions, including those disguised as urgent or authoritative.

• Content classifiers: The system scans content entering Claude's context to flag potential prompt injections before they affect behavior. This runs automatically.

• Permission gates: Claude asks for your approval before accessing each new application during computer use sessions. You can deny access to specific apps.

• Default blocks: Investment platforms, cryptocurrency wallets, and a few other sensitive app categories are blocked by default.

• Deletion confirmation: Claude will not permanently delete files without explicit user confirmation.

What these controls don't cover: They're not perfect. Anthropic's own documentation says the guardrails aren't absolute. Prompt injection research has demonstrated bypasses. The right mental model is that these controls raise the bar significantly — they don't make computer use zero-risk.

7. Common Mistakes to Avoid

• Giving Claude access to your entire hard drive. You don't need to. Create a dedicated working folder and only move files there when Claude needs them.

• Enabling computer use and then walking away immediately. Build some experience with how Claude handles your specific tasks before leaving long autonomous workflows running unattended.

• Connecting sensitive apps through Claude in Chrome without thinking about it. The browser extension can read content from pages you visit. Review which sites you want Claude to have access to and stick to trusted ones.

• Assuming Cowork is subject to the same data policies as Claude.ai chat. Cowork stores conversation history locally on your computer, not on Anthropic's servers under their standard retention policy. It also doesn't appear in audit logs — relevant if you're in a regulated industry or using a managed device.

• Not keeping Claude desktop open during tasks. Claude can't do anything if the app is closed. If you assign a task and close your laptop, the task stops.

8. FAQs

Does Anthropic store the screenshots Claude takes? 
Anthropic's documentation says screenshots taken during computer use are automatically deleted from their backend within 30 days (unless you have enterprise terms that specify otherwise). They are processed server-side to enable Claude's navigation, so they do leave your machine.

Can Claude access my passwords or saved credentials? 
Claude's guidelines explicitly prohibit accessing browser-saved passwords, autofill data, or financial credentials. This is a hard policy boundary, not just a default setting.

What happens if Claude makes a mistake during an autonomous task? 
For irreversible actions like permanent file deletion, Claude is required to ask for your confirmation first. For other mistakes — overwriting a file, sending an incorrect message — they may not be reversible. Keep backups of important files and start with lower-stakes tasks.

Can I use computer use on Windows? 
As of the time of writing, computer use is macOS only. Windows support hasn't shipped yet.

Is Cowork appropriate for work with regulated data (HIPAA, GDPR, etc.)? 
Anthropic explicitly says no. Cowork activity is not captured in audit logs or Compliance APIs, and they recommend against using it for regulated workloads.

What if Claude starts doing something I didn't ask for? 
You can halt Claude at any point during a task. If you notice Claude discussing unrelated topics, requesting unexpected information, or behaving strangely, Anthropic recommends reporting this to [email protected].

Can my employer see what Claude is doing on my computer? 
Cowork stores conversation history locally, so it's not in Anthropic's audit logs. However, if your employer manages your computer (MDM, monitoring software), they may be able to see desktop activity. If you're using Cowork on a work device, check your organization's IT policies.

9. Next Steps

Once you're comfortable with the basics, here's what's worth exploring:

• Scheduled tasks. Cowork lets you set tasks to run automatically on a schedule — a weekly report compiled every Friday, a morning briefing pulled before you start work. Start with a low-stakes, read-only workflow to build confidence in how Claude handles it unattended.

• Combining connectors with computer use. Claude's priority order is connectors first, then browser, then screen control. The more connectors you set up, the less Claude needs to resort to screen interaction — which means faster tasks and lower prompt injection risk from browsing.

• Creating a dedicated Claude workspace on your machine. A structured folder with clear subfolders (Inputs, Outputs, In-Progress) makes it easier to control what Claude sees and produces, and makes reviewing its work simpler.

• Following Anthropic's Cowork updates. Computer use is a research preview, which means the feature set, safety controls, and availability are actively evolving. Check support.claude.com periodically — things are moving fast.

10. The Bottom Line

Giving Claude access to your computer is not a single decision — it's a series of decisions about how much access, to what, and for what kinds of tasks.

File access in a dedicated folder is low-friction and low-risk for most people. Computer use is genuinely powerful for the right use cases — especially when you need Claude to interact with tools that don't have integrations — but it operates on your live machine, and the risks are proportionally higher.

The documented vulnerabilities are real. Prompt injection is not theoretical. At the same time, Anthropic's controls raise the bar meaningfully, and for the everyday professional using Claude to compile reports, prep briefings, or work through internal tools, the risk is manageable with a bit of intentionality about what you're connecting.

Start narrow. Expand as you build trust. And don't point it at anything you wouldn't want Claude to read.