Claude AI has become one of the most capable and widely used artificial intelligence tools in the world. Its newest features allow users to create, edit, and analyze files directly within chat sessions. These additions make Claude more useful than ever, but they also come with serious security concerns. Researchers have shown that attackers can exploit Claude’s built-in file system and network access to quietly steal sensitive data by injecting malicious instructions into uploaded files or text prompts.
How Claude’s File System Works
The new version of Claude introduces a sandboxed computing environment that can execute code and create downloadable files such as Excel spreadsheets, PowerPoint slides, Word documents, and PDFs. The feature is powered by Anthropic’s Sonnet 4.5 model and available across all paid plans. Pro and Max users have file creation and code execution enabled automatically, while Team and Enterprise administrators can enable or disable these capabilities at the organization level.
This environment allows Claude to perform complex data tasks such as generating charts, running calculations, and formatting documents. However, the same features that make it productive can also be turned against users. If a file or message contains hidden prompt instructions, Claude may follow them without question. Those instructions can direct the model to read data from its session, save it to a local file, and use the Files API to upload that file to a remote location controlled by an attacker.
The Anatomy of the Attack
The attack chain starts with a simple step: a user uploads a document for analysis. Inside that file is hidden code disguised as plain text. When Claude reads it, the model interprets it as valid instructions and begins executing them. It collects available data, stores it in a file within its sandbox, and uploads the file using an API key provided in the malicious prompt. Since Claude has network access on many plans, the file can be sent directly to an attacker’s account through Anthropic’s own infrastructure.
According to documentation, Claude can upload files of up to 30MB, and there is no practical limit on the number of files it can send. Because the upload uses a legitimate API call, no alarms are triggered. To the platform, this looks like normal behavior: the model creating and exporting a file for a user request.
Why Network Access Increases Risk
Network access is what makes this type of attack dangerous. Anthropic allows several configurations known as network egress modes. These include “no egress,” “package managers only,” “package managers and specific domains,” and “all domains.” When network egress is set to “all domains,” Claude can connect to almost any website except those on Anthropic’s blocklist. This gives injected prompts far more room to send or receive data externally.
Even the “package managers only” mode is not completely safe. Anthropic’s list of approved domains includes its own APIs. This means that malicious instructions can still use the Files API to transfer data elsewhere. Because these are authorized domains, the activity blends in with legitimate model functions and is extremely difficult to detect through normal logging or monitoring tools.
What Information Can Be Stolen
Claude can only access what is visible inside its current environment, but that can still include a wide range of sensitive information. Chat transcripts, uploaded documents, connected projects, and local files in the sandbox are all within reach. If a company links Claude to internal datasets or third-party services, attackers could potentially extract business data, analytics, or even customer information. Since everything happens inside Anthropic’s cloud environment, traditional endpoint protections and firewalls are blind to the theft.
Why Standard Security Tools Miss It
This method of exfiltration does not resemble typical malware or phishing attacks. There is no executable code being installed on the user’s device, no external payloads, and no unusual network traffic from the local system. The commands come from inside the trusted environment, using legitimate API routes. Antivirus and firewall tools never see the behavior because it never leaves Anthropic’s servers. Even identity management solutions cannot prevent it, since the actions are performed under the authenticated user session.
What Anthropic Says About the Risks
Anthropic acknowledges the risk of prompt-based attacks in its documentation and outlines potential mitigations. The company warns that malicious prompts can trick Claude into executing untrusted code or leaking information through external requests. Its safety measures include sandbox isolation, prompt injection classifiers, and detailed summaries of Claude’s actions. The model also allows users to cancel or stop ongoing operations if they appear suspicious. However, these safeguards rely heavily on users paying attention during each session, which may not always happen.
Reducing Risk for Organizations
Administrators using Claude in business environments should take several steps to limit exposure. Start by disabling network egress entirely unless it is essential for a workflow. If network access is needed, use a strict allowlist of trusted domains. Review who in the organization has permission to enable file creation and code execution, and make sure those settings are limited to technical or analytical roles.
All file uploads and API activities should be logged and linked to a verified human request. Any automated or unexplained uploads should be flagged for investigation. Routine audits of sandbox configurations and permission settings can help prevent accidental exposure. When dealing with files from outside the organization, open them in a controlled session with network access turned off and file creation disabled.
Practical Safety Habits for Users
For everyday users, the most effective defense is caution. Avoid uploading files from unknown sources and be wary of documents that contain hidden formatting, code blocks, or long embedded instructions. Scan files with reputable antivirus or anti-malware tools such as Malwarebytes before submitting them to Claude. Never copy and paste unverified code or data directly into chat, especially if it claims to enhance model functionality or improve output formatting.
Anthropic also encourages users to monitor Claude’s on-screen explanations of what it is doing. If the AI begins executing code, downloading packages, or creating files unexpectedly, stop the session immediately. Users should treat Claude’s sandbox as a semi-autonomous system that requires oversight, not as a passive writing tool.
Product Improvements That Could Help
Anthropic could strengthen defenses by automatically tying all Files API uploads to the authenticated user account, blocking the use of external API keys. Adding confirmation prompts before uploads that involve chat history or previous files would also prevent silent exfiltration. Rate limits and session-level upload caps could further restrict the scale of potential attacks. Transparent reporting of each file operation would make it easier for administrators to identify unusual activity in real time.
The Bigger Picture
The risks facing Claude AI highlight a growing issue across modern cybersecurity. As large language models gain features that let them access files, APIs, and the web, they stop behaving like simple chatbots and start acting like digital agents. That power comes with responsibility and risk. Each new feature that makes Claude smarter or more capable also gives attackers new ways to abuse it.
Claude AI remains a remarkable tool for automation, data analysis, and productivity. But its new capabilities also demand new safeguards and awareness. Users and organizations should approach these features with the same caution they would apply to any connected system handling private information. By combining careful configuration, strong monitoring, and good user habits, Claude can remain both powerful and safe to use.
