Open Cowork takes the common idea of a desktop AI assistant beyond just wrapping a language model in a GUI. Instead, it tackles one of the harder problems in practical AI agent deployment: how to let AI agents execute commands and access the file system safely. Its answer is to run all AI agent commands inside fully isolated Linux VMs, using WSL2 on Windows and Lima on macOS, providing a sandbox environment that protects the host system from unintended or malicious commands.
What Open Cowork does and how it’s built
Open Cowork is an open-source, cross-platform desktop application built in TypeScript that wraps multiple large language models (LLMs) such as Claude Code, OpenAI models, Gemini, DeepSeek, GLM, and Kimi. Unlike many AI chat or agent tools that simply provide a chat window, Open Cowork provides a full sandboxed workspace where AI agent commands are routed through VM-level isolation.
The architecture hinges on leveraging existing lightweight VM technologies: Windows Subsystem for Linux 2 (WSL2) on Windows and Lima on macOS. These VMs run Linux distributions (Ubuntu on macOS via Lima) that mirror the user’s workspace, allowing the AI agents to execute Bash commands, scripts, and other operations inside a controlled environment. This approach reduces the risk of damaging the host OS or leaking sensitive data unintentionally.
Open Cowork also integrates a Skills system enabling the AI to generate and manipulate documents in PPTX, DOCX, XLSX, and PDF formats. Beyond document generation, it supports the Model Context Protocol (MCP), which allows the AI to connect and interact with external apps like browsers and Notion, extending its capabilities beyond local execution.
The app includes remote control features supporting collaboration and automation via popular chat platforms such as Feishu (Lark) and Slack. This makes it a versatile tool for users wanting to orchestrate AI agents remotely or in collaborative contexts.
The sandbox architecture and multi-model integration that sets it apart
The standout technical strength of Open Cowork lies in its multi-layered sandbox protection. Most AI agent desktop tools either do not isolate system commands at all or use lightweight containerization that might not fully isolate the host environment. Open Cowork’s choice of VM-level sandboxing via WSL2 and Lima is a deliberate tradeoff prioritizing security and isolation over the additional resource overhead that comes with running full VMs.
Under the hood, when Open Cowork detects WSL2 on a Windows machine, it automatically routes all Bash commands to a Linux VM. The workspace folder is synced bidirectionally between Windows and the VM, ensuring the AI agent operates with up-to-date data while being confined. On macOS, the app leverages Lima to spin up an Ubuntu VM with the user’s home directory mounted, achieving similar isolation.
If no VM is available, Open Cowork falls back to running commands natively but restricts file operations to the workspace folder via a path guard, providing a basic level of sandboxing.
This architecture solves a real problem: AI agents with file system and command execution access can inadvertently or maliciously cause harm to the host system. By isolating all AI commands inside VMs, Open Cowork reduces the attack surface and shields the user’s primary environment.
Supporting multiple LLMs in one app is another practical strength. It provides flexibility to choose from Claude Code, OpenAI, Gemini, DeepSeek, GLM, and Kimi models, which can have different strengths, language support, or cost profiles. The Skills system further extends functionality with built-in document generation and GUI automation, making the tool more than a simple chat window.
On the downside, relying on full VMs introduces latency and resource usage overhead, which might be noticeable on lower-end machines. The requirement to install and configure WSL2 or Lima adds complexity and a barrier to entry for less technical users. However, these tradeoffs are justified by the improved sandboxing and security.
Quick start with Open Cowork
Open Cowork offers multiple installation options for macOS and Windows users.
Option 1: Homebrew (macOS, Recommended)
brew tap OpenCoworkAI/tap
brew install --cask --no-quarantine open-cowork
The
--no-quarantineflag bypasses macOS Gatekeeper, so you won’t see the “Apple cannot verify this app” warning.
Option 2: Download Installer
Get the latest version from the Releases Page.
| Platform | File Type |
|---|---|
| Windows | .exe |
| macOS (Apple Silicon) | .dmg |
Option 3: Build from Source
For developers who want to contribute or modify the codebase:
git clone https://github.com/OpenCoworkAI/open-cowork.git
cd open-cowork
npm install
npm run rebuild
npm run dev
To build the installer locally:
npm run build
Security configuration: sandbox setup
Open Cowork detects WSL2 on Windows and Lima on macOS automatically if installed. It is recommended to install these for enhanced isolation:
- Windows: install WSL2 following Microsoft’s official instructions.
- macOS: install Lima via Homebrew:
brew install lima
If no VM is detected, Open Cowork will run commands natively but restrict file access to the workspace.
Verdict
Open Cowork is a thoughtful approach to the problem of running AI agents locally with command execution capabilities. Its VM-level sandboxing via WSL2 and Lima is a notable design choice that prioritizes security and isolation, which many competitors overlook.
The multi-model support and Skills system add practical value, enabling users to generate office documents and automate GUI tasks from within the same app. Remote control via chat platforms further broadens its applicability.
The tradeoff is increased complexity in setup and some resource overhead due to VM use. This may not be ideal for casual users or those without technical expertise comfortable with installing and managing WSL2 or Lima.
Overall, Open Cowork is suited for developers, AI enthusiasts, and organizations wanting a safer, extensible local AI agent platform that balances flexibility with host protection. If you need an AI assistant that can safely interact with your file system and external apps, and you don’t mind the VM setup, Open Cowork is worth exploring.
Related Articles
- Claude Cowork guide: practical AI workflows and plugin docs for business users — A detailed guide to Claude Cowork, Anthropic’s desktop AI assistant, offering 28 business workflows, 70 prompts, and plu
- Outworked: Visual multi-agent orchestration for Claude Code on macOS — Outworked is a macOS app that turns Claude Code into a multi-agent system with visual orchestration, message bus communi
- OpenAI Codex CLI: local-first AI coding assistant with ChatGPT integration — OpenAI Codex CLI brings AI coding assistance local to your terminal, integrating with ChatGPT plans for powerful hybrid
- gigabrain: a modular AI agent tooling plugin for OpenClaw and Claude Code — gigabrain is a Node.js plugin that extends OpenClaw and AI toolchains like Codex and Claude Code, providing setup and ve
- desktop-cc-gui: A Tauri-based desktop app unifying multiple AI coding engines with parallel agent execution — desktop-cc-gui is a cross-platform Tauri app that centralizes multiple AI coding assistants like Claude Code and Codex C
→ GitHub Repo: OpenCoworkAI/open-cowork ⭐ 1,175 · TypeScript