Anthropic’s Claude File Creation Feature Raises Security Concerns
Key Points
- Anthropic launched a file creation feature for Claude AI.
- Pro and Max users cannot publicly share conversations using the feature.
- Enterprise customers receive sandbox isolation and limited task runtime.
- Administrators can allowlist specific domains such as api.anthropic.com and github.com.
- Anthropic advises continuous security testing and red‑team assessments.
- Researcher Simon Willison criticized the feature’s "monitor Claude" guidance as shifting risk to users.
- Willison warned of persistent prompt‑injection vulnerabilities that could leak data.
- The debate highlights security trade‑offs for enterprises adopting new AI capabilities.
Anthropic introduced a file creation capability for its Claude AI model. While the company added safeguards—such as disabling public sharing for Pro and Max users, sandbox isolation for Enterprise, limited task duration, and domain allowlists—independent researcher Simon Willison warned that the feature still poses prompt‑injection risks. Willison highlighted that Anthropic’s advice to "monitor Claude while using the feature" shifts responsibility to users. He urged caution when handling sensitive data, noting that similar vulnerabilities have persisted for years. The situation underscores ongoing challenges in AI security for enterprise deployments.
Feature Overview
Anthropic has released a file creation feature for its Claude AI model, allowing users to generate and manipulate files directly within a conversational interface. The capability is available across several subscription tiers, including Pro, Max, Team, and Enterprise.
Anthropic’s Security Safeguards
To address potential misuse, Anthropic implemented a series of mitigations. For Pro and Max users, public sharing of conversations that employ the file creation feature is disabled. Enterprise customers receive sandbox isolation so that environments are never share data between users. The company also limits task duration and container runtime to reduce the chance of malicious loops.
Administrators for Team and Enterprise plans can configure an allowlist of domains that Claude may access. The documented allowlist includes api.anthropic.com, github.com, registry.npmjs.org, and pypi.org. Anthropic’s documentation states that Claude can only be tricked into leaking data it has access to in a conversation via an individual user’s prompt, project, or "activated connections".
The firm emphasizes a continuous process for security testing and red‑team exercises, urging organizations to evaluate these protections against their own security requirements before enabling the feature.
Expert Criticism
Independent AI researcher Simon Willison reviewed the feature on his blog, describing Anthropic’s advice to "monitor Claude while using the feature" as an unfair shift of responsibility to users. Willison warned that despite the safeguards, the feature remains vulnerable to prompt‑injection attacks that could cause data leakage.
Willison plans to be cautious with any data he does not want exposed to a third party, even if the risk appears minimal. He referenced previous work on prompt‑injection vulnerabilities, noting that such issues have persisted for "almost three years after we first started talking about them."
Implications for Enterprises
The release highlights a tension between rapid AI feature deployment and robust security. Enterprises considering Claude for sensitive business documents must weigh Anthropic’s mitigations against the documented concerns raised by security researchers. The situation suggests that competitive pressure in the AI arms race may be influencing product decisions, potentially at the expense of thorough security validation.
Overall, the episode underscores ongoing challenges in securing AI systems, especially as new capabilities like file creation expand the attack surface.