Anthropic’s latest Claude feature—no downloading/uploading needed for Word docs, spreadsheets, slides and PDFs—comes with a stark warning from the company itself: turning it on could endanger your data. The disclosure highlights a growing tension at the AI tooling layer, where convenience often clashes with the security reality.
What the feature does — and how it works
The update allows Claude to create and edit files natively within the web app and desktop clients. Tell me the output you desire — project plan, budget spreadsheet, sales deck — and the model builds the thing on the fly.
Anthropic says the feature is currently available for Claude Max, Team, and Enterprise accounts, with Pro access coming soon. It is modifiable by user under Settings by enabling “Upgraded file creation and analysis” in the experimental section.
Under the hood, Claude runs this workflow in a sandbox, with restricted internet access, but with access to fetch certain JavaScript packages required for rendering and file manipulation. That handrail helps, but it is no panacea.
Why Anthropic believes there’s risk
Anthropic openly admits that by enabling the automation of file creation and analysis over the internet their tool is more exposed. The actual problem isn’t the file format—it’s ultimately untrusted content steering connected tools.
Two threat paths stand out. First, injection: Secret commands can be hidden in documents, datasets, or webpages that an AI agent may be tricked into executing. Second, data exfiltration: when compromised, the agent can read sensitive files or memory, and try to communicate extracts outside of the environment.
Even in a sandbox, attackers try to chain behaviors–trick the model into loading external resources, executing malicious scripts, or communicating extracted content. In the case of OWASP’s “LLM Top 10,” it recommends that in-the-moment injection and data leakage are the top risk items, and in the case of NIST’s AI Risk Management Framework, close attention to model inputs, outputs, and tool-use privileges are center-and-foremost.
This is not hypothetical
Researchers have shown this indirect prompt injection works, for example, when a seemingly innocent file or web page embeds instructions that, without the AI agent’s knowledge, get used to manipulate its behavior. Tests against web-based chatbots from several vendors have successfully goaded the model into exposing its internal notes, ignoring safety constraints, or serving as a conduit to retrieve and forward sensitive information.
Security teams with national agencies and the largest cloud providers are seeing this pattern over and over: when models are doing browsing, reading attachments, or invoking tools, untrusted content is a control surface. Joint guidance between UK and US cyber authorities highlights policy isolation, stringent egress controls and least-privilege design for AI agents.
In enterprises, the risk accumulates from convenience. Employees will naturally want AI to be helpful by “seeing” calendars, drives and wikis. That access can transform a well-designed spreadsheet or linked web page into a toehold for exfiltration.
What Anthropic is doing — and what you should do
Anthropic says it has red-teamed this and is currently testing the feature, and encourages organizations to test protections against their own security needs. The company also recommends that when the feature is turned on, users “observe what Claude is doing” and suspend activities that seem to be reading, or otherwise using, data unexpectedly.
For most companies, that’s a baseline, not a complete defense. A prudent rollout plan includes:
- — Turn the feature off by default in your sensitive tenants; test with nonproduction data first.
- – Practise least privilege: restrict file and system access for Claude, read-only access if it’s applicable.
- – Egress network controls on the sandbox to control exfiltration paths.
- – Utilize data loss prevention, content inspection, and logging around AI-driven workflows for file creation.
- – No secrets (keys, credentials, personal data) in prompts or in uploads; tokenize or mask them if you must.
- – Notify users of immediate input and suspicious behavior of generated files.
Accessible, checklists for hardening AI agents exist in frameworks developed by OWASP, NIST, and national cyber agencies, covering Input Sanitization, Provenance Tracking, and a human in the loop for review of high levels of risk activity.
The upside is still there — if you respect the blast radius
Ugh… Budget Reporting Monthly budget reporting takes time and saps resources, but Claude’s native doc, spreadsheet, and slide support can cut hours off reporting, planning, and content prep. But as soon as a model can pull in code and build up files with internet help, you have to put it in the same bucket as any other connected tool of automation — useful, fast and capable of data leakage if you trick it.
Anthropic’s frankness is a good thing: The company is openly acknowledging that productivity gains come with the risk of operations. If your company allows the feature, do it purposefully — restrict access, monitor the logs and assume untrusted content will attempt to influence the model. That mindset retains the benefits and but reduces the blast radius.
