There is much more to do - and our docs reflect how early this is - but we're investing in making progress towards something that's "safe".

It's the "don't click on suspicious links" of the LLM world and will be just as effective. It's the system they built that should prevent those being harmful, in both cases.

This is a perfect encapsulation of the same problem: https://www.reddit.com/r/BrandNewSentence/comments/jx7w1z/th...

Substitute AI with Bear

You brought this up a couple of times now, would appreciate clarification.

Yes, but at least now its only restricted to Claude Max subscribers, who are likely to be at least semi-technical (or at least use AI a lot)?

container2wasm seems interesting, but it runs a full blown x86 or ARM emulator in WASM which boots an image derived from a docker container [0].

[0] https://github.com/container2wasm/container2wasm

Good job that video of it organising your Desktop doesn't show folders containing 'Documents', 'Photos', and 'Projects'!

Oh wait.

This is why the Android permissions system of "allow this app to x, y, z" whilst great for me, isn't really a good system for the average person, because what do they do "yes, yes, yes, just let me see my Tiktoks!1111"

ETA: used Claude Code to reverse engineer it:

   Insight ─────────────────────────────────────

  Claude.app VM Architecture:
  1. Uses Apple's Virtualization.framework (only on ARM64/Apple Silicon, macOS 13+)
  2. Communication is via VirtioSocket (not stdio pipes directly to host)
  3. The VM runs a full Linux system with EFI/GRUB boot

  ─────────────────────────────────────────────────

        ┌─────────────────────────────────────────────────────────────────────────────────┐
        │  macOS Host                                                                     │
        │                                                                                 │
        │  Claude Desktop App (Electron + Swift native bindings)                          │
        │      │                                                                          │
        │      ├─ @anthropic-ai/claude-swift (swift_addon.node)                           │
        │      │   └─ Links: Virtualization.framework (ARM64 only, macOS 13+)            │
        │      │                                                                          │
        │      ↓ Creates/Starts VM via VZVirtualMachine                                   │
        │                                                                                 │
        │  ┌──────────────────────────────────────────────────────────────────────────┐  │
        │  │  Linux VM (claudevm.bundle)                                              │  │
        │  │                                                                          │  │
        │  │  ┌────────────────────────────────────────────────────────────────────┐  │  │
        │  │  │  Bubblewrap Sandbox (bwrap)                                        │  │  │
        │  │  │  - Network namespace isolation (--unshare-net)                     │  │  │
        │  │  │  - PID namespace isolation (--unshare-pid)                         │  │  │
        │  │  │  - Seccomp filtering (unix-block.bpf)                              │  │  │
        │  │  │                                                                    │  │  │
        │  │  │  ┌──────────────────────────────────────────────────────────────┐  │  │  │
        │  │  │  │  /usr/local/bin/claude                                       │  │  │  │
        │  │  │  │  (Claude Code SDK - 213MB ARM64 ELF binary)                  │  │  │  │
        │  │  │  │                                                              │  │  │  │
        │  │  │  │  --input-format stream-json                                  │  │  │  │
        │  │  │  │  --output-format stream-json                                 │  │  │  │
        │  │  │  │  --model claude-opus-4-5-20251101                            │  │  │  │
        │  │  │  └──────────────────────────────────────────────────────────────┘  │  │  │
        │  │  │       ↑↓ stdio (JSON-RPC)                                          │  │  │
        │  │  │                                                                    │  │  │
        │  │  │  socat proxies:                                                    │  │  │
        │  │  │  - TCP:3128 → /tmp/claude-http-*.sock (HTTP proxy)                │  │  │
        │  │  │  - TCP:1080 → /tmp/claude-socks-*.sock (SOCKS proxy)              │  │  │
        │  │  └────────────────────────────────────────────────────────────────────┘  │  │
        │  │                                                                          │  │
        │  └──────────────────────────────────────────────────────────────────────────┘  │
        │           ↕ VirtioSocket (RPC)                                                 │
        │      ClaudeVMDaemonRPCClient.swift                                             │
        │           ↕                                                                    │
        │      Node.js IPC layer                                                         │
        └─────────────────────────────────────────────────────────────────────────────────┘

ComponentDetailsKernelLinux 6.8.0-90-generic aarch64 (Ubuntu PREEMPT_DYNAMIC)OSUbuntu 22.04.5 LTS (Jammy Jellyfish)HostnameclaudeCPU4 cores, Apple Silicon (virtualized), 48 BogoMIPSRAM3.8 GB total (~620MB used at idle)SwapNone

Storage Layout

DeviceSizeTypeMount PointPurpose/dev/nvme0n1p19.6 GBext4/Root filesystem (rootfs.img)/dev/nvme0n1p1598 MBvfat/boot/efiEFI boot partition/dev/nvme1n19.8 GBext4/sessionsSession data (sessiondata.img)virtiofs-virtiofs/mnt/.virtiofs-root/shared/...Host filesystem access

Filesystem Mounts (User Perspective)

        /sessions/gallant-vigilant-lamport/
        ├── mnt/
        │   ├── claude-cowork/     → Your selected folder (virtiofs + bindfs)
        │   ├── .claude/           → ~/.claude config (bindfs, rw)
        │   ├── .skills/           → Skills/plugins (bindfs, ro)
        │   └── uploads/           → Uploaded files (bindfs)
        └── tmp/                   → Session temp files
        
        Session User
        A dedicated user is created per session with a Docker-style random name:
        User: gallant-vigilant-lamport
        UID:  1001
        Home: /sessions/gallant-vigilant-lamport
        Process Tree
        PID 1: bwrap (bubblewrap sandbox)
        └── bash (shell wrapper)
            ├── socat TCP:3128 → unix socket (HTTP proxy)
            ├── socat TCP:1080 → unix socket (SOCKS proxy)
            └── /usr/local/bin/claude (Claude Code SDK)
                └── bash (tool execution shells)

        Security Layers

        Apple Virtualization.framework - Hardware-level VM isolation
        Bubblewrap (bwrap) - Linux container/sandbox

        --unshare-net - No direct network access
        --unshare-pid - Isolated PID namespace
        --ro-bind / / - Read-only root (with selective rw binds)


        Seccomp - System call filtering (unix-block.bpf)
        Network Isolation - All traffic via proxied unix sockets

        Network Architecture
        ┌─────────────────────────────────────────────────────────────┐
        │  Inside Sandbox                                             │
        │                                                             │
        │  claude process                                             │
        │      │                                                      │
        │      ↓ HTTP/HTTPS requests                                  │
        │  localhost:3128 (HTTP proxy via env vars)                   │
        │      │                                                      │
        │      ↓                                                      │
        │  socat → /tmp/claude-http-*.sock ─────────┐                │
        │                                            │                │
        │  localhost:1080 (SOCKS proxy)              │                │
        │      │                                     │                │
        │      ↓                                     │                │
        │  socat → /tmp/claude-socks-*.sock ────────┤                │
        └───────────────────────────────────────────┼────────────────┘
                                                    │
                                VirtioSocket ←──────┘
                                                    │
        ┌───────────────────────────────────────────┼────────────────┐
        │  Host (macOS)                             │                │
        │                                           ↓                │
        │                              Claude Desktop App            │
        │                                           │                │
        │                                           ↓                │
        │                                    Internet                │
        └─────────────────────────────────────────────────────────────┘
        Key insight: The VM has only a loopback interface (lo). No eth0, no bridge. All external network access is tunneled through unix sockets that cross the VM boundary via VirtioSocket.


  Communication Flow

  From the logs and symbols:

  1. VM Start: Swift calls VZVirtualMachine.start() with EFI boot
  2. Guest Ready: VM guest connects (takes ~6 seconds)
  3. SDK Install: Copies /usr/local/bin/claude into VM
  4. Process Spawn: RPC call to spawn /usr/local/bin/claude with args

  The spawn command shows the actual invocation:
  /usr/local/bin/claude --output-format stream-json --verbose \
    --input-format stream-json --model claude-opus-4-5-20251101 \
    --permission-prompt-tool stdio --mcp-config {...}

Cars have plenty of horror stories associated with them, but convenience keeps most people happily driving everyday without a second thought.

Google can quarantine your life with an account ban, but plenty of people still use gmail for everything despite the stories.

So even if Claude cowork can go off the rails and turn your digital life upside down, as long as the stories are just online or "friend of a friend of a friend", people won't care much.

[1]: https://eclecticlight.co/2024/04/08/apfs-snapshots/

[2]: https://eclecticlight.co/2021/09/04/explainer-the-macos-vers...

I am not even certain if this issue can be solved since you are sending your prompts and activities to "someone else's computer", but I suspect if it is overlooked or hand-waved as insignificant, there will be a time when open, local models will become useful enough to allow most to jettison cloud AI providers.

I don't know about everyone else, but I am not at all confident in allowing access and sending my data to some AI company that may just do a rug pull once they have an actual virtual version of your mind in a kind of AI replication.

I'll just leave it at that point and not even go into the ramifications of that, e.g., "cybercrimes" being committed by "you", which is really the AI impersonator built based on everything you have told it and provide access to.

I do believe the approach Apple is taking is the right way when it comes to user facing AI.

You need to reduce AI to being an appliance that does one or at most a few things perfectly right without many controls with unexpected consequences.

Real fun is robots. Not sure no one is hurrying up on that end.

>>Edit: most comments are focused on pointing out that version control & file system snapshot exists: that's wonderful, but Claude Cowork does not use it.

Also in my experience this creates all kinds of other issues. Like going back up a tree creates all kinds of confusions and keeps the system inconsistent with regards to whatever else it is you are doing.

You are right in your analysis that many people are going to end up with totally broken systems

The base model itself is biased away from actions that would lead to large scale destruction. Compound over time and you probably never get anywhere too scary.

Weird they don't use it - might backfire hard

It would be madness to work completely offline these days, and all of these systems have version history and document recovery built in.

I’ve been trying to reach a human at Anthropic for a week now to clarify this on behalf of our company but can’t get past your AI support.

Simple suggestion: logo should be a cow and and orc to match how I originally read the product name.

I worry that the average consumer is none the wiser but I hope a company that calls itself Anthropic is anthropic. Being transparent about what the tool is doing, what permissions it has, educating on the dangers etc. are the least you can do.

With the example of clearing up your mac desktop: a) macOS already autofolds things into smart stacks b) writing a simple script that emulates an app like Hazel is a far better approach for AI to take

Deleting vm_bundles lets me open Claude Desktop and switch tabs. Then it hangs again, I delete vm_bundles again, and open it again. This time it opens on the Chat tab and I know not to click the Cowork tab...

This has been one of the biggest bottlenecks for our company: not the capability of the agents themselves -- the tools needed to roll them out responsibly.

I created a folder for Cowork, copied a couple of hundred files into it related to the two tasks, and told Claude to prepare a comprehensive summary in markdown format of that work (and some information about me) for its future reference.

The summary looked good, so I then described the two tasks to Claude and told it to start working.

Its project proposal revision was just about perfect. It took me only about 10 more minutes to polish it further and send it off.

The slides took more time to fix. The text content of some additional slides that Claude created was quite good and I ended up using most of it, but the formatting did not match the previous slides and I had to futz with it a while to make it consistent. Also, one slide it created used a screenshot it took using Chrome from a website I have built; the screenshot didn’t illustrate what it was supposed to very well, so I substituted a couple of different screenshots that I took myself. That job is now out the door, too.

I had not been looking forward to either of those two tasks, so it’s a relief to get them done more quickly than I had expected.

One initial problem: A few minutes into my first session with Claude in Cowork, after I had updated the app, it started throwing API errors and refusing to respond. I used the "Clear Cache and Restart" from the Troubleshooting menu and started over again from the start. Since then there have been no problems.

Would love to connect, my emails in my bio if you have time!

However, I don't see an option for AWS Bedrock API in the sign up form, is it planned to make this available to those using Bedrock API to access Claude models?

/e: stopped it and retried. it seems it can't use the connectors? I get No such tool available

Is this a planned usecase, for the user to hand over human communication in, say, slack or similar? What are the current capabilities and limitations for that?

You might want to fix this.

I'm very curious about what you mean by 'cross device sync' in the post?

> Hi, Felix from the team here, this is my product - let us know what you think. > We're on purpose releasing this very early, we expect to rapidly iterate on > it.

> (We're also battling an unrelated Opus 4.5 inference incident right now, so > you might not see Cowork in your client right away.)

https://github.com/thameera/harcleaner and https://har-sanitizer.pages.dev/

To bypass: `.transition_wrap { display: none }`

Thanks anthropic

doesn't work.

The reality is there are some of us who truly just don't care. The convenience outweighs the negative. Yesterday I told an agent, "here's my api key and my root password - do it for me". Privacy has long since been dead, but at least for myself opsec for personal work is too.

     v-- click!
  [ACCEPT] [CANCEL]

> One of the core constitutional principles that guides our AI model development is privacy. We do not train our generative models on user-submitted data unless a user gives us explicit permission to do so.

But they changed their policy a few months ago so now as-of October they are much more likely to train on your inputs unless you've explicitly opted out: https://www.anthropic.com/news/updates-to-our-consumer-terms

This sucks so much. Claude Code started nagging me for permission to train on my input the other day, and I said "no" but now I'm always going to be paranoid that I miss some opt-out somewhere and they start training on my input anyway.

And maybe that doesn't matter at all? But no AI lab has ever given me a convincing answer to the question "if I discuss company private strategy with your bot in January, how can you guarantee that a newly trained model that comes out in June won't answer questions about that to anyone who asks?"

I don't think that would happen, but I can't in good faith say to anyone else "that's not going to happen".

For any AI lab employees reading this: we need clarity! We need to know exactly what it means to "improve your products with your data" or whatever vague weasel-words the lawyers made you put in the terms of service.

That's not a problem. It leads to better models.

> to put your business out of business and capture all the value for themselves, right?

That's both true and paranoid. Yes, LLMs subsume most of the software industry, and many things downstream of it. There's little anyone can do about it; this is what happens when someone invents a brain on a chip. But no, LLM vendors aren't gunning for your business. They neither care, nor have the capability to perform if they did.

In fact my prediction is that LLM vendors will refrain from cannibalizing distinct businesses for as long as they can - because as long as they just offer API services (broad as they may be), they can charge rent from an increasingly large amount of the software industry. It's a goose that lays golden eggs - makes sense to keep it alive for as long as possible.

Reality is good ideas and a few SOPs do not make a successful business.

You could also always run a local LLM like GLM for sensitive documents or information on a separate computer, and never expose that to third party LLMs.

You also need to remember that if you hire regular employees that they are still untrustworthy at a base level. There needs to be some obfuscation anyway since they can steal your data/info too as a human. Very common case especially when they run off to China or something to clone your company where IP laws don't matter.

As they should if they're doing most of the heavy lifting.

And it's not just LLM adjacent startups at risk. LLMs have enabled any random person with a claude code subscription to pole vault over your drying up moat over the course of a weekend.

There will always be a market for dedicated tools that do really specific things REALLY well.

very far from being true

I was running some sentiment analysis experiments; describe the subject and the subjects emotional state kind of thing. It picked up on a lot of little detail; the brand name of my guitar amplifier in the background, what my t shirt said and that I must enjoy craft beer and or running (it was a craft beer 5k kind of thing), and picked up on my movement through multiple frames. This was a video slicing a frame every 500ms, it noticed me flexing, giving the finger, appearing happy, angry, etc. I was really surprised how much it picked up on, and how well it connected those dots together.

Are you sure about that?

Try "claude --chrome" with the CLI tool and watch what it does in the web browser.

It takes screenshots all the time to feed back into the multimodal vision and help it navigate.

It can look at the HTML or the JavaScript but Claude seems to find it "easier" to take a screenshot to find out what exactly is on the screen. Not parse the DOM.

So I don't know how Cowork does this, but there is no reason it couldn't be doing the same thing.

The issue is that Claude Code won't automatically Read images by default as a part of its flow: you have to very explicitly prompt it to do so. I suspect a Skill may be more useful here.

How many people join meetings these days just to zone out and wait for the AI-produced summary at the end?

The folks working at these technology firms just dont get what the average person - who makes up most of the population - wants. They produce this fluffy stuff which may appeal to the audience here - but that market segment is tiny.

Also the use case of organising a desktop rocked me off my chair. LMAO!

The challenge is that no application on desktop is built around these privileges so there's no grant workflow.

Are you bytecode analysing the kernel syscalls an app makes before it runs? Or will it just panic-die when you deny one?

Most people have no idea what a terminal is.

But for many people, yes, AI will mostly substitute their labor (and take their job, produce operating margin for the company).

We can still do this via containers, though. But it does have some friction.

TBH this comment essentially reads as "other commenters are dumb, this is the future b/c I said so, get in line".

No, this doesn't need to be the future. There's major implications to using AI like this and many operations are high risk. Many operations benefit greatly from a human in the loop. There's massive security/privacy/legal/financial risks.

That’s it? There are security risks but The Future? On the one hand I am giving it access to my computer. On the other hand I have routine computer tasks for it to help with?

Could these “positive” comments at least make an effort? It’s all FOMO and “I have anecdotes and you are willfully blind if you disagree”.

Very generally I suspect there are many coders on HN who have a love hate relationship with a tool (claude code) that has and will certainly make many (but not all) of them less valuable given the amount of work it can do with even less than ideal input.

This could be a result of the type of coding that they do (ie results of using claude code) vs. say what I can and have done with it (for what I do for a living).

The difference perhaps is that my livlihood isn't based on doing coding for others (so it's a total win with no downside) and it's based on what it can do for me which has been nothing short of phemomenal.

For example I was downvoted for this comment a few months ago:

https://news.ycombinator.com/item?id=45932641

Just one reply (others are interesting also):

"HN is all about content that gratifies one’s intellectual curiosity, so if you are admitting you have lost the desire to learn, then that could be triggering the backlash."

(HN is about many things and knowing how others think does have a purpose especially when there is a seismic shift that is going on and saying that I have lost the desire to learn (we are talking about 'awk' here is clearly absurd...)).