Claude + Consensus: A Powerful Duo—But Know the Risks Before You Click Install
Last Updated on April 7, 2026
As medical writers and editors, we’re always looking for tools that help us work smarter. The combination of Claude (Anthropic’s AI assistant) and Consensus (an AI-powered academic search engine) is genuinely exciting—and if you haven’t tried it yet, you should. But as with any powerful tool, it pays to understand what you’re getting into. This post breaks down the risks clearly, so you can use these tools confidently and safely.
Claude + Consensus: A Great Starting Point
When you connect Claude to Consensus through Claude’s web interface, you get something really useful: Claude can search peer-reviewed literature on your behalf and weave the findings into a coherent, synthesized response. For medical writers researching a new therapeutic area or checking the evidence base for a claim, this is a genuine time-saver.
The good news is that this combination is one of the lower-risk AI setups available. Consensus is read-only—it searches papers, it doesn’t take actions on your computer or accounts. You’re not granting access to your files, your desktop, or anything else. If something goes wrong, the blast radius is small.
That said, there are a couple of risks worth knowing about that don’t exist when you use the two tools in separate browser tabs.
Prompt injection. When Consensus returns results, that content flows directly into Claude’s contextThe information an AI model has access to within a single se... More automatically. In theory, content embedded in a paper or search result could be crafted to influence how Claude behaves—essentially hijacking the conversation. This is an emerging and mostly theoretical risk right now, but it’s the main new attack surfaceThe total number of ways an attacker could potentially gain ... More that comes from connecting the two tools. Anthropic outlines how your data are handled and protected in their Privacy Centre.
False confidence in synthesized answers. When Claude reads Consensus results and summarizes them for you, errors can be harder to spot than if you were reading raw search results yourself. A subtly wrong finding, presented fluently, can look authoritative. The practical fix: always check the original sources before relying on anything clinically significant. Use this combination as a research accelerator, not a replacement for source verification.
Both of these risks are manageable, and neither should put you off using Claude + Consensus. Just go in with your eyes open.
Cowork: An Entirely Different Beast
If Claude + Consensus is a research assistant, Cowork—the agent proposed as part of the Claude + Consensus partnership—is more like handing someone the keys to your office. Launched in early 2026 and still in research preview, Cowork is Anthropic’s desktop agent—it can read, edit, and create files on your computer, control your browser, and connect to apps like email and calendar. For automating multi-step tasks, it’s impressive. But the risk profile is in a completely different league.
Here’s what you need to understand before installing it on a work machine.
It has broad access to your system. Whatever files and applications you can access, Cowork can access. Whatever mistakes you could make—sending the wrong document, deleting the wrong file—it can make, potentially faster and at scaleThe ability of a system to perform actions repeatedly and ra... More. Citrix puts this well: the real enterprise risk isn’t AI training data leakage—it’s AI agents executing actions in your work environment.
The “sandbox” has a gap. Cowork runs inside a virtual machine (VM; a kind of isolated container) for most tasks, which provides some protection. But the Computer Use feature—which lets Claude actually control your desktop—runs outside that container, directly on your machine. That’s a meaningful distinction, and one that Pluto Security’s detailed reverse-engineering of Cowork’s architecture makes very clear.
Known vulnerabilities exist. Security researchers have demonstrated a proof-of-concept attack where a malicious document given to Cowork could cause it to exfiltrateTo steal or extract data from a system without authorization... More files. Anthropic has acknowledged it cannot remotely stop the tool mid-task if something goes wrong. Several other security issues are currently in the process of being disclosed and patched.
There is no audit trail. No record of Cowork’s activity appears in any log or compliance export—at any subscription level. If you work under any regulatory framework that requires documentation of how you handle data (and many medical writers do), this is a serious gap.
Model ContextThe information an AI model has access to within a single se... More Protocol (MCP) connectors expand the risk further. Each additional app you connect to Cowork (eg, Slack, email, calendar) adds another potential entry point for attackers and another channel through which your data flows.
Anthropic themselves advise caution. Their own documentation recommends against using Cowork alongside applications that handle sensitive data. It is still a research preview, not a finished, hardened product. For a more accessible overview of the risks, this Substack piece is a good starting point for less technical readers.
The Bottom Line
Think of these tools on a spectrum of risk.
Claude + Consensus in a browser sits at the safer end. It’s a genuinely useful combination for medical writers, the risks are limited and manageable, and the main precaution is simply to verify sources rather than trust synthesized outputs uncritically. If you’re not using this yet, it’s worth exploring.
Cowork is a different proposition. It’s powerful, and it will likely become an important tool as it matures—but right now, it’s a research preview with real security gaps, no audit trail, and capabilities that extend far beyond anything Claude can do in a browser. On a personal computer, it requires careful setup and awareness. On a work computer—especially one that handles clinical data, client documents, or anything regulated—it should not be installed without explicit sign-off from your IT or information security team.
Not many freelancers have an IT or IS team, so I will share my notes. (You know I have notes!) The only way I would use the Cowork agent would be on an isolated machine that contains only an OS, Cowork, the pertinent files for the project at hand, Word, and a browser with its own sign-in (to avoid syncing and exposing information contained in browsers, including passwords, for example.) Nothing else. No syncing with online drives, no password management, nothing. And I absolutely would not work with IP, client data, sensitive data, proprietary data, etc, in Cowork.
The gap between these tools isn’t just about features. It’s about how much of your digital environment you’re inviting the AI into. Knowing where that line is—and making a deliberate choice about which side of it you’re on—is the most important thing you can take away from this post.
Have questions about AI tools and how to use them safely in your medical writing practice? Get in touch with the DCC Cyber team.