I don't think so, because I don't think you can trigger Cowork from an external program?
(I could be wrong!)
I'm not using the regular email connection methods, I don't want to give Anthropic complete access to my email account. I do a ton of deterministic checks first from a Go program that actually checks each email, to avoid lethal trifecta attacks. The model technically has no access to email at all. I only give a prompt with the necessary info, and access to a custom MCP reply tool that can only email me.
Basically I'd want Cowork within my external loop, and Anthropic wants to own the loop instead. (Unless I've missed a way to do it.)
----
EDIT: Also, to the person who just tried to lethal trifecta me - nice try, but you just demonstrated all the exact reasons Cowork / claude-code needs to be within the external loop of a deterministic program. This is why you don't just dump external input straight into context, or give the model direct access to everything. We're going to see a lot more of this, not just as more people use agents, but as more hosted webmail systems decide they need to add their own homebrew AI models into everyone's systems. And seriously, German servers really need to start tightening up their security.
Could you write a bit of local code (you said Go?) to dump the email you want acted on to a local file, then schedule Claude to check that file periodically?
Lethal Trifecta is the term Simon Willison (simonw) coined for the triple combination of giving an AI access to private data, context including external inputs (prompt injection risk), and tools for external output (enabling exfiltration):
EDIT: As for scheduling, Claude Desktop / Cowork only allows scheduling a task to run once an hour. That doesn't allow immediate responses to email or voicemail. Leaving my previous reply below though.
---
I can put emails in a text file easily for Claude to read, but scheduling 60 Claudes a minute to open a file that is usually empty... that's the kind of usage Anthropic is cracking down on. Claude doesn't enjoy spinning up with nothing to do either.
If I could set a 1 - 5 minute schedule in Claude Desktop, and create a hook tool that runs on SessionStart to checks the email, and can cancel the session before it starts if there's no email to react to, that might work. But I'd rather have my tiny email daemon in the background with 0% CPU and tiny RAM usage, than the Claude Desktop behemoth constantly at 3% CPU idle and eating up 500MB RAM unnecessarily. But still, thanks for the idea, it might save me money in June!
I don't think so, because I don't think you can trigger Cowork from an external program?
(I could be wrong!)
I'm not using the regular email connection methods, I don't want to give Anthropic complete access to my email account. I do a ton of deterministic checks first from a Go program that actually checks each email, to avoid lethal trifecta attacks. The model technically has no access to email at all. I only give a prompt with the necessary info, and access to a custom MCP reply tool that can only email me.
Basically I'd want Cowork within my external loop, and Anthropic wants to own the loop instead. (Unless I've missed a way to do it.)
----
EDIT: Also, to the person who just tried to lethal trifecta me - nice try, but you just demonstrated all the exact reasons Cowork / claude-code needs to be within the external loop of a deterministic program. This is why you don't just dump external input straight into context, or give the model direct access to everything. We're going to see a lot more of this, not just as more people use agents, but as more hosted webmail systems decide they need to add their own homebrew AI models into everyone's systems. And seriously, German servers really need to start tightening up their security.
What on earth is a lethal trifecta??
Could you write a bit of local code (you said Go?) to dump the email you want acted on to a local file, then schedule Claude to check that file periodically?
Lethal Trifecta is the term Simon Willison (simonw) coined for the triple combination of giving an AI access to private data, context including external inputs (prompt injection risk), and tools for external output (enabling exfiltration):
https://simonwillison.net/2025/Jun/6/six-months-in-llms/#ai-...
https://simonwillison.net/tags/lethal-trifecta/
EDIT: As for scheduling, Claude Desktop / Cowork only allows scheduling a task to run once an hour. That doesn't allow immediate responses to email or voicemail. Leaving my previous reply below though.
---
I can put emails in a text file easily for Claude to read, but scheduling 60 Claudes a minute to open a file that is usually empty... that's the kind of usage Anthropic is cracking down on. Claude doesn't enjoy spinning up with nothing to do either.
If I could set a 1 - 5 minute schedule in Claude Desktop, and create a hook tool that runs on SessionStart to checks the email, and can cancel the session before it starts if there's no email to react to, that might work. But I'd rather have my tiny email daemon in the background with 0% CPU and tiny RAM usage, than the Claude Desktop behemoth constantly at 3% CPU idle and eating up 500MB RAM unnecessarily. But still, thanks for the idea, it might save me money in June!
2 replies →