Coworker Agents Security Risks

Business Process Agents coworker.ai Exposed Giants
AI RISK QUADRANT POSITION DEFENSE CONTROLS (5) ATTACK SURFACE (5.24) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
3.53
Critical
Attack Surface
5.24
High
Blast Radius
4.13
Medium
Defense Controls
5
High
About The Agent

Coworker Agents is a cloud-hosted enterprise agent platform that runs autonomous AI workers around the clock across more than a hundred OAuth-connected business tools. Agents ingest context from Slack, CRM, email, tickets, and documents through a persistent organizational memory layer, then execute multi-step workflows including record updates, message sends, and ticket creation without requiring per-action operator intervention on the default configuration. The platform routes tasks to interchangeable LLMs and exposes an MCP server for external AI tool connectivity, extending the agent's reach beyond the vendor's own control plane.

About the AI Risk Quadrant

Exposed Giants placement reflects a moderate attack surface paired with a contained blast radius and partial vendor-shipped defenses. Coworker Agents inherits the full ingestion fan-in of an enterprise process agent connected to more than a hundred SaaS tools, and the trifecta of untrusted input, sensitive enterprise data, and external egress channels is fully triggered. Operators should prioritize input filtering and output monitoring as the two highest-leverage hardening layers before expanding autonomous execution scope.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. Coworker Agents concentrate risk at the input and output boundaries where no dedicated filtering exists, while the persistent organizational memory and broad OAuth-scoped tool access amplify the consequences of any successful injection.

Key Input Risks
Untrusted content from Slack messages, email, tickets, and event triggers across more than a hundred connected tools reaches the reasoning loop without any documented prompt filtering or injection detection [3]. Operators should deploy an external prompt injection proxy or restrict event-trigger sources to a vetted allowlist before expanding connector scope. [1][6]
Key Execution Risks
Agents execute API-scoped actions through OAuth-connected SaaS tools without shell or code execution, and the vendor isolates workloads on Kubernetes with IAM-scoped access and per-customer data stores. Operators handling regulated data should request independent verification of the tenant isolation boundary before deployment. [5][8]
Key Action Risks
Agents support fully autonomous execution for routine tasks by default, with approval gates available as an opt-in configuration per workflow rather than a mandatory default. OAuth-scoped credentials across more than a hundred integrations give each autonomous action write access to CRM records, tickets, and messaging channels. [1][6]
Key Output Risks
Agents emit text, create tickets, update CRM records, and send Slack messages across connected tools with no documented DLP, credential redaction, or exfiltration blocking [4]. Any output channel where the agent writes could carry data controlled by a prompt injection payload to a downstream consumer. [1][5]
Key Monitoring Risks
Vendor-documented audit trails log every agent action, and real-time monitoring dashboards provide alerting under the SOC 2 Type II program. Behavioral anomaly detection and SIEM forwarding are not documented as default capabilities, leaving advanced threat detection as an operator-managed responsibility. [5][12]

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Coworker Agents lands in the lower band of the risk-capability spectrum, with a moderate attack surface offset by contained blast radius and partial vendor-shipped defenses.

AIRQ Metrics

The agent sits in the Exposed Giants quadrant because its broad ingestion surface and trifecta-complete status outpace the vendor-shipped defenses, while the contained API-only blast radius keeps it below the high-impact threshold.

Each axis measures a distinct dimension of risk: attack surface and blast radius are scored against a ten-point scale, defense controls against fifteen, and the composite AIRQ score integrates all three.

Metric Score Comments
AIRQ Score 3.53 Moderate composite score indicates hardening priority at the input and output boundaries where vendor safeguards are absent.
Blast Radius 4.13 / 10 OAuth-scoped API access without shell or direct infrastructure control keeps the blast radius contained to credential and data reach.
Attack Surface 5.24 / 10 Ingestion across more than a hundred connected tools with no input filtering drives the attack surface into the moderate-to-high band with trifecta complete.
Defense Controls 5 / 15 Vendor documents cloud isolation and audit logging but ships no input filtering and no output data-loss controls on the default configuration.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. The dominant exposures for Coworker Agents are the unfiltered multi-channel ingestion from more than a hundred connected enterprise tools, the auto-indexed organizational memory without integrity verification, and autonomous task routing with no operator visibility into reasoning steps.

Attack Surface Metrics

Six of ten surfaces sit at the architectural third band, reflecting broad ingestion and orchestration scope with no confirmed exploitation against this specific agent.

Each row pairs a surface with its base score and a prose comment describing the architectural exposure the score reflects.

Surface Score Comments
User Input 3 / 4 Accepts prompts via Slack, web UI, event triggers, and MCP with no documented prompt shield or injection detection. [1]
External Data 3 / 4 Ingests emails, tickets, CRM records, docs, and calendar events from more than a hundred OAuth-connected tools with minimal content validation. [6]
Memory 3 / 4 OM1 organizational memory auto-indexes content from connected tools into a persistent knowledge graph with no documented integrity verification. [7]
Reasoning 3 / 4 Tasks route to interchangeable LLMs across multiple providers via intelligent model routing with no documented reasoning-step visibility for the operator. [8]
Planning 3 / 4 Agent Builder enables autonomous task decomposition with scheduled, event-driven, and manual triggers, where approval gates are configurable but not mandatory. [1]
Tool Execution 2 / 4 Executes scoped API actions across SaaS tools with configurable approval gates rather than running shell commands or arbitrary code. [6]
Orchestration 3 / 4 Agents run autonomously in the background with cron scheduling, event hooks, and a multi-agent control plane spanning the full connector set. [1]
Inter-Agent 2 / 4 Coworker MCP server enables external AI tools to invoke agents, with subagent delegation managed within the vendor's control plane. [8]
Output Processing 2 / 4 Outputs flow to Slack, email, CRM, and ticketing tools with OAuth permission scoping but no documented exfiltration blocking or DLP. [5]
Configuration 2 / 4 Agent configuration uses a managed no-code UI with OAuth-scoped connectors rather than auto-loading untrusted project-level config files. [1]

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Coworker Agents exhibits all three on the documented default [2]: event-triggered ingestion pulls untrusted content from Slack and email, the agent reads OAuth-scoped CRM and document data, and then writes back through the same channels without crossing any content-level control.

Lethal Trifecta · Complete (3 of 3)

Coworker Agents exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — Slack messages, email content, and event triggers from more than a hundred connected tools feed adversary-controllable text into the reasoning loop. [1][6]
  • Sensitive data — OAuth-scoped access reads CRM records, support tickets, project documents, and calendar events containing private enterprise data. [6][10]
  • External egress — Agents send Slack messages, update CRM records, create tickets, and post follow-ups through the same OAuth channels without output filtering. [1][5]

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. A compromise of Coworker Agents reaches OAuth-scoped enterprise data across connected SaaS tools but does not extend to host shell, file system, or infrastructure control planes.

Blast Radius Metrics

One of six factors sits at the third band reflecting OAuth credential reach, while the remaining five stay at the first or second band due to API-only execution.

Each row ties a blast factor to the scope of access the agent holds through its documented OAuth connections and execution model.

Factor Score Comments
Code execution 1 / 4 No shell, browser, or code interpreter access; actions execute through scoped SaaS API calls only. [5]
File system access 1 / 4 Reads documents from connected tools via API; no direct file system write access to the operator's host environment. [6]
Network access 2 / 4 Outbound requests are domain-restricted to OAuth-connected SaaS endpoints rather than unrestricted internet access. [6]
Credential access 3 / 4 OAuth tokens for more than a hundred enterprise integrations give the agent scoped access to API credentials across the connected tool stack. [6][9]
Autonomous action 2 / 4 Agents execute scheduled and event-triggered actions autonomously by default; approval gates exist but require per-workflow opt-in activation. [1]
Deployment access 1 / 4 No documented capability to trigger deployments, modify infrastructure, or publish packages in the operator's environment. [8]

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. The vendor ships cloud-level isolation and structured audit logging as defaults but leaves input filtering and output data-loss controls entirely operator-managed.

Defense Controls Metrics

Higher scores indicate stronger vendor-shipped safeguards; Coworker Agents carries partial defenses concentrated in isolation and monitoring with gaps at the input and output boundaries.

Each component is scored on what the vendor implements by default versus what the operator must layer on after deployment.

Component Score Comments
Input Guardrails 0 / 3 No documented prompt shield, injection detection, or input validation pipeline; prompt injection payloads from connected tools reach the reasoning loop without interception. [5]
Execution Isolation 2 / 3 Cloud-hosted on GCP with Kubernetes workload isolation, IAM-scoped access, isolated ElasticSearch indexes per customer, and VPN-restricted infrastructure. [5]
Action Controls 1 / 3 Configurable approval gates and RBAC are available but agents can run fully autonomously by default, making approval coverage partial. [1]
Output Guardrails 0 / 3 No documented DLP, credential redaction, or exfiltration blocking; OAuth permission scoping is the only indirect output boundary. [5]
Monitoring 2 / 3 Complete audit trails for every agent action, real-time monitoring dashboards, and Secureframe continuous monitoring under the SOC 2 Type II program. [5][12]

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Deploying input filtering and output monitoring would close the two widest defense gaps and lower the attack surface score; tightening approval gates next would reduce the autonomous action exposure.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require all new agent workflows to pass through a prompt-content review gate before activation — counters the absence of input filtering at the platform boundary.
  • Configuration Restrict which connected tools can trigger agent execution to a vetted allowlist — counters the broad event-trigger surface across more than a hundred connectors.
  • Engineering Deploy a prompt injection detection proxy between inbound messages and the agent reasoning loop [11] — counters User Input at the third band with zero input guardrails.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Require the vendor to provision a dedicated GCP project or isolated Kubernetes namespace for workflows handling regulated data — counters shared infrastructure risk.
  • Configuration Enable VPC peering or air-gapped deployment options documented by the vendor for sensitive workloads — counters default shared-cloud isolation.
  • Engineering Instrument network-layer monitoring between the agent cluster and connected SaaS endpoints to detect anomalous API call patterns — counters the vendor-documented isolation tier.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Mandate approval gates on all workflows that write to CRM, messaging, or financial systems — counters the default fully-autonomous execution mode.
  • Configuration Configure agent-level OAuth scope restrictions to the minimum set required per workflow — counters broad credential reach across more than a hundred integrations.
  • Engineering Build a custom approval webhook that validates action parameters before execution — counters partial approval coverage where gates are opt-in per workflow.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Establish a data classification policy that maps which output channels may carry which data sensitivity levels — counters the absence of output filtering.
  • Configuration Enable conditional formatting rules in downstream tools to flag agent-generated messages containing sensitive patterns — counters zero output guardrails.
  • Engineering Deploy a DLP inspection layer on agent output channels to detect and block credential or PII leakage before delivery — counters Output Processing with no exfiltration blocking.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Require periodic review of agent audit trails as part of the SOC 2 continuous monitoring program — counters the gap between logging and active threat detection.
  • Configuration Forward agent action logs to the organization's SIEM for correlation with broader security telemetry — counters the absence of documented SIEM integration.
  • Engineering Build behavioral anomaly detection rules that flag unusual agent action patterns such as bulk data reads or off-hours execution — counters Monitoring at the second band without anomaly detection.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. Coworker Agents product page Vendor agent docs covering autonomous modes, approval gates, input channels, scheduling, Agent Builder

Selected Research

  1. Three-condition exploit chain for AI agents Framing of three conditions turning prompt injection into full-chain exfiltration for tool-using LLM systems
  2. Design Patterns for Securing LLM Agents Academic defense patterns for agents with tool access handling sensitive data
  3. Three-condition exploit chain in enterprise agentic AI Enterprise-scale analysis of context poisoning, data exfiltration, and MCP-amplified risks

Vendor Documentation

  1. Coworker security and compliance docs Data flow architecture, K8s isolation, IAM policies, SOC 2 Type II via Secureframe
  2. Coworker connectors page 142+ OAuth integrations with permission-aware access, REST API, MCP server
  3. Coworker organizational memory OM1 persistent knowledge graph, 120+ dimensions, permission-aware retrieval
  4. Coworker platform page Agent builder, intelligent model routing, approval workflows, organizational memory
  5. Coworker privacy policy Data collection practices, SSL encryption, security disclaimers
  6. Coworker data privacy and permissions Three privacy policies: private data stays private, source permissions, business purposes

Other Sources

  1. Agentic AI security challenges Business process agent attack surfaces, three-condition exploit chain, least-privilege mitigations
  2. Coworker enterprise AI security blog SOC 2 Type II with 193 tests across 20 controls, CASA Tier 2 verification