Skip to main content
Cowork isn’t a coding agent. It’s a general-purpose desktop agent for knowledge work — research, analysis, operations, finance, legal — that moves across your local files, the apps you use, the browser, and your connected MCP tools to finish multi-step tasks. Its risk surface is different: less “tear down production,” more “read the wrong file, paste a customer’s card number into a prompt, or upload an export to the open web.” This is the pack that draws that line for Cowork. It covers three layers — the data in your prompts, the files and shell actions on the machine, and the connectors Cowork can reach — using the exact matches Unbound’s classifier and DLP extract.

Why Cowork needs a guardrail layer

Cowork is an autonomous agent, not a chatbot. It works across your local files, the browser, and connected MCP tools, and it acts under the user’s identity, on content it didn’t write. That is what makes it useful, and what makes it worth governing:
  • It reads untrusted content and acts on it. An instruction hidden in a document, an email, or a web page can turn into a command the agent runs. Prompt injection is a known, unsolved class of attack, and a per-action approval prompt is a limited backstop once a user is clicking through a lot of them.
  • Defense in depth. The controls that ship inside the tool are one layer. An independent layer at the endpoint — one that sees the actual tool calls and file reads — gives you a second.
  • A record you control. For compliance and incident review, security teams want an independent, exportable trail of what the agent did, held outside the tool itself.
Unbound sits at that endpoint layer. Every Cowork session streams into your Logs and Analytics — an independent record you own — and the policies in this pack let you see and govern the specific actions that carry the most risk.

What you’re defending against

The pack below maps to the threat vectors that matter most for an autonomous desktop agent. Each row points to the policies that cover it.
ThreatWhat it looks likeWhere this pack covers it
Credential & token theftThe agent reads a secrets file or inherits a live session and lifts keysCredential & key files and env-variable dumps
Data exfiltrationA task quietly ships private files out through a channel the agent already trustsData transfer, browser automation, and the storage / email / messaging connectors
Excessive agencyA high-impact action — send, write, delete, run — runs before anyone reviews itBulk deletion, config overwrite, package install, and the MCP write / destructive rules
The “lethal trifecta”Private-data access plus untrusted content plus an external channel — the recipe for command-driven theftThe prompt guardrails and the outbound-connector rules, together
MCP tool poisoning & malicious skillsA compromised or unverified connector steers the agent silently on every callThe sanctioned-MCP allowlist plus the per-connector MCP rules
Indirect prompt injectionInstructions hidden in a file, email, or page run as the user’s own commandsWhy the tool-layer rules matter — they catch the action even when the instruction slips through
Audit gapWithout an independent record, you can’t show an auditor what the agent did on a machine at a given timeEvery match lands in Logs and Analytics, attributed to user and session
Shadow AICowork run on a personal account moves data outside org controlsDiscovery, plus the sanctioned-MCP allowlist
Create these under Policies → Security Policies and Policies → Tool Policies. Each row below is a match to create — the action is yours to set based on the traffic you see. Leave User Groups empty to apply org-wide, or scope to a team.
Building for AI coding agents (Claude Code, Cursor, Codex, …) instead? See Recommended Starting Policies — the terminal-command pack for engineering work.

Live in three steps

1

Create what fits

Add the rows that match how your teams use Cowork — the data in prompts, the files and shell on the machine, and the connectors it reaches.
2

Test each in seconds

Paste the Try it prompt into a Cowork session and watch the match land in Logs and Analytics, attributed to the user and session.
3

Tune from your traffic

After a few days of activity, tighten the rules that matter and relax anything noisy. Your controls end up shaped by how your team actually works, not generic defaults.
The Try it column in every table gives a natural-language prompt you can paste into a Cowork session to see the policy match end-to-end — the arrow shows the detection or action Unbound catches.

Protect the data in prompts

The fastest way sensitive data leaves your org through an AI agent isn’t a command — it’s a prompt. Cowork users paste configs, credentials, and customer details straight into the prompt for it to summarize, clean, or draft from. Two guardrails catch the highest-value data before it reaches the model.
PolicyWhy it mattersGuardrail · Match (If)Try it (prompt → what Unbound catches)
Secrets in promptsAnalysts paste configs, connection strings, and env snippets for Cowork to clean up or analyze — shipping live credentials straight to the modelSecrets · API keys, database connection strings, cryptographic keys”Help me tidy this config: AWS_ACCESS_KEY_ID=AKIAVQ3EYIY4LIRVHK37 AWS_SECRET_ACCESS_KEY=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 → Unbound flags the AWS access key
Payment-card data in promptsRevenue, billing, and finance work routinely touches cardholder data; a pasted card number is PCI-scope data leaving your boundaryPII · Credit Card Number”Draft a renewal note for this account — card on file 4111 1111 1111 1111.” → Unbound flags the credit-card number

Files and shell on the machine

Cowork’s headline skill is working directly on your machine — reading, organizing, rewriting, and deleting files, and (for roles that allow it) running shell commands. These rules cover the actions where that goes wrong: reading secrets, dumping the environment, overwriting or deleting at scale, uploading data off the box, and pulling in new software. The family and field values are exactly what Unbound’s classifier extracts.
PolicyWhy it mattersCommand Family · Match (If)Try it (prompt → action Unbound catches)
Reading credential & key filesCowork ranges across local files to synthesize and organize — including the dotfiles that hold your cloud keys, SSH keys, and tokensRead File · Path .ssh/, .aws/credentials, .env, .pem”Read ~/.aws/credentials and tell me which profiles I have.”cat ~/.aws/credentials
Environment-variable dumps”Show me my environment” is a routine setup step, but env dumps are exactly where tokens and keys liveEnvironment Exposure · Method env, printenv”Print all my environment variables so we can see what’s configured.”env
Writing to system or config pathsCowork edits and regenerates files in place; an overwrite or append to a system or shared config path is silent and hard to undoWrite File · Path /etc/, /usr/, .config/”Add a hosts entry pointing api.internal to 10.0.0.5.”echo "10.0.0.5 api.internal" >> /etc/hosts
Bulk file deletionCowork’s signature file skill — rename, sort, dedupe — deletes and overwrites at scale; one bad pattern loses real workDelete File · Path ANY (logs every delete; tighten to a directory once you’ve seen the traffic)“Clean up my Downloads folder — delete anything older than a year.”rm -rf ~/Downloads/old
Data transfer to external endpointsA legit export and an exfiltration look identical, and a team’s customer lists and data exports are the crown jewelsData Transfer · ANY (logs every outbound transfer; scope to a destination or protocol once you’ve seen the traffic)“Upload accounts.csv to https://filebin.example.com so I can share it.”curl -F "file=@accounts.csv" …
Installing software packagesAn agent that installs packages pulls unreviewed code and supply-chain risk onto the machinePackage Management · Operation install”Install the AWS CLI so we can pull the exports.”brew install awscli

Connectors and the browser

Cowork reaches out through MCP connectors and a browser, and that’s where a task quietly becomes an exfiltration path — a query that dumps a table, a message that broadcasts customer data, an upload into a web form. MCP policies target a canonical group (a logical service, matched across whatever server name your users configured), then either specific tools or a tool action type (read / write / destructive).
PolicyWhy it mattersMCP Group · Match (If)Try it (prompt → tool Unbound catches)
Browser automationCowork’s browser connector can type into external web forms and open arbitrary sites — the exfiltration and malicious-site path for a desktop agentPlaywright · tools browser_navigate, browser_type, browser_file_upload”Open filebin.example.com and upload the accounts export.”browser_file_upload
Data-warehouse queriesOne query can pull an entire table of customer records — the largest-blast-radius data pull an analyst agent can makeSnowflake · action type read (or the query / run tools)“Run SELECT * FROM customers and export the results.”run_query
Posting to messagingAn agent that can post to channels can broadcast customer or internal data to a wide — or externally-shared — audienceSlack · action type write (or the send_message tool)“Post the Q3 pipeline numbers to #general.”send_message
Outbound emailSending email is how data leaves the building; an agent sending on your behalf is high-impactGoogle Workspace · action type write (or the Gmail send_email tool)“Email this account summary to partner@external.com.”send_email
Cloud file storageA “share with anyone” link turns your document store into an exfiltration channelBox · action type write (or the create_shared_link tool)“Share the Customers folder with a public link.”create_shared_link
Code-repository writesAn agent that can write to repos can push code, open pull requests, or delete branches — and repos hold secrets and IPGitHub · action type write / destructive (or create_pull_request, delete_*)“Commit these changes and open a PR to main.”create_pull_request
One control covers every connector: the sanctioned-MCP allowlist. New MCP servers appear constantly and many are unverified. Set the allowlist so only approved servers are reachable and any unknown or unofficial one is caught — the single highest-leverage MCP control, and a clean complement to the per-tool rules above.

Go live

Create the rows that fit how your teams use Cowork and test each one in seconds with the prompt in the last column — every match lands in Logs and Analytics, attributed to the user and session. From there the action is yours: keep a rule on visibility, or turn it into an enforced boundary once you’ve seen the traffic. Your controls end up shaped by how your team actually works, not generic defaults.