The 10 GB surprise
You install Claude Desktop on your Mac. Everything’s fine, the app is lightweight. But one day you check your disk and discover this:
~/Library/Application Support/Claude/vm_bundles/claudevm.bundle
10.8 GB.
Excuse me? Ten gigs for a chatbot? What’s in there, the extended Lord of the Rings trilogy?
Nope. It’s Ubuntu.
The Claude product trinity
Before I explain the what, let me explain the why. Anthropic has three ways to give you access to Claude:
| Product | Where it runs | For whom |
|---|---|---|
| claude.ai | Anthropic’s servers | Everyone |
| Claude Desktop + Cowork | VM on your Mac | Professionals |
| Claude Code | Directly on your system | Developers |
The web version is the safe option: everything happens on Anthropic’s cloud, nothing touches your machine. But if you want Claude to do real things on your computer — create documents, run code, move files — you need something more.
And that’s where Cowork and Claude Code come in, two completely different philosophies.
Cowork: Claude Code for the rest of us
Cowork is the name of the agent that Anthropic launched on January 12, 2026. Its official tagline:
“Claude Code for the rest of your work”
While Claude Code is designed for developers who live in the terminal, Cowork is designed for you when you’re not programming. The lawyer who wants to organize contracts. The analyst who needs to extract data from 50 PDFs. The teacher who wants to convert their notes into a presentation.
What it can do
- You give it access to a folder on your Mac
- Claude reads, edits, and creates files within it
- Can create Office documents (Word, Excel, PowerPoint) without you having anything installed
- Can execute Python or JavaScript code if needed
- Can launch multiple “sub-agents” in parallel for heavy tasks
Real example
“Hey Claude, I have 30 receipt screenshots in this folder. Make me a spreadsheet with date, description, and amount for each one.”
And Claude does it. Reads the images, extracts the data with OCR, creates the Excel file, and leaves it there for you.
The curious fact
Cowork was built almost entirely by Claude Code in 1.5 weeks. Claude writing the next generation of Claude products. Inception but with fewer DiCaprios and more tokens.
The VM: The security trick
Here’s the clever part. When Cowork executes code or manipulates files, it doesn’t do it directly on your Mac. It does it inside a completely isolated Ubuntu virtual machine.
Why? Because letting an AI execute arbitrary code on your system is like giving your house keys to a very smart stranger. They might be trustworthy, but better that they don’t have access to the knife drawer.
What’s inside those 10 GB
| Component | Size | What it’s for |
|---|---|---|
| Ubuntu 24.04 | ~3 GB | The operating system |
| Chromium + Playwright | ~920 MB | For web scraping and automation |
| LibreOffice | ~148 MB | Create Office documents |
| Node.js, Python, Java | ~600 MB | Execute code |
| CJK Fonts | ~305 MB | Chinese/Japanese/Korean support |
| Pandoc, LaTeX | ~450 MB | Document conversion |
In plain English: it’s a complete office environment inside a security box.
The security model
flowchart TB
subgraph mac[" 🖥️ Your Mac (host) "]
direction TB
subgraph vm[" 🐧 Ubuntu VM (sandbox) "]
direction LR
subgraph claude[" 🤖 Claude runs here "]
A[" ❌ No disk access "]
B[" 🔒 Filtered network "]
C[" 🔄 Resets each session "]
end
folder[" 📁 /mnt/user-data/ <br> Your shared folder "]
end
inaccessible[" 🚫 Rest of your Mac: INACCESSIBLE "]
end
The VM can only see the folder you give it access to. It can’t touch your photos, your documents, your .ssh. Even the network is filtered: it can only talk to PyPI, npm, GitHub and little else.
If Claude screws up inside the VM, the damage stays contained there.
Claude Code: No safety net
And then there’s Claude Code, which is… another story.
| |
Claude Code has no VM. No sandbox. No safety net. When you tell it “run this command,” it executes it directly in your terminal. With your permissions. With access to your files. With your SSH keys.
It’s like the difference between showing someone a photo of your house and giving them your house keys.
Why would I want that?
Because if you’re a developer, you need Claude to have real access to your environment:
- Your git repository with all its files
- Your build tools (
npm,cargo,uv) - Your tests to run them
- Your credentials to deploy
You can’t develop serious software from inside an isolated VM that knows nothing about your project.
The permission model
Claude Code isn’t the wild west. It has a permission system:
- Always allowed: Read files, search code
- Requires your OK: Execute commands, write files, make network requests
Every command it wants to execute, it shows you first. You decide whether to approve it.
Claude wants to execute: npm test
[Approve] [Deny] [Always approve]
The model is: I trust Claude to read and understand my code, but I want to see what it’s going to do before it does it.
Cowork vs Claude Code: The comparison
| Aspect | Cowork | Claude Code |
|---|---|---|
| Interface | Graphical app | Terminal |
| Isolation | Complete VM | None |
| Office documents | ✅ Included | ❌ Install them yourself |
| Access to your repo | ❌ Only given folder | ✅ Everything |
| Git push | ❌ No config | ✅ Your credentials |
| Network | Filtered | Complete |
| If it screws up | Damage contained | Can affect your system |
| Startup | ~5-10s | Instant |
| Disk | ~10.8 GB | ~50 MB |
When to use each one?
Use Cowork when:
- You want to create/edit Office documents
- You need to execute code that isn’t yours (suspicious by default)
- You’re organizing personal files
- You’re not a developer
Use Claude Code when:
- You’re developing software
- You need access to your repo, tests, tools
- You want to deploy
- You’re debugging something that requires system access
And what about Copilot?
A lot of people ask me how this compares to GitHub Copilot. Short answer: different philosophies.
Copilot is autocomplete on steroids. It lives inside your IDE, suggests code as you write, line by line. It’s fast, doesn’t interrupt your flow, and is great for boilerplate.
Claude (Cowork/Code) is an agent. It makes plans, executes complete tasks, touches multiple files. It’s slower but more powerful.
| Scenario | Better option |
|---|---|
| Writing code fast | Copilot |
| Massive refactoring | Claude |
| Completing patterns | Copilot |
| Understanding legacy code | Claude |
| Complex debugging | Claude |
| PR reviews on GitHub | Copilot |
The conclusion I’ve seen in the community:
“Copilot makes you faster. Claude makes you better. In 2026 you need both.”
Can I delete the VM?
Yes. If you don’t use the code execution features:
- Claude Desktop → Settings
- Disable “Code Execution and File Creation”
- Optionally:
rm -rf ~/Library/Application\ Support/Claude/vm_bundles/
You get back 10 GB. You still have normal chat with Claude.
Wrap-up
Next time someone asks you why Claude Desktop takes up so much space, you know what to tell them: because inside there’s a whole Ubuntu with LibreOffice, Chromium, Python, Node and everything needed for Claude to work with files for real.
It’s the price of security. They could have made Claude execute code directly on your Mac, but then every time Claude screwed up (and LLMs do screw up), the damage would be real.
I prefer 10 GB of VM over an accidental rm -rf / in my home directory.
Want to know more about Claude Code? Here’s my git optimization tutorial that I wrote with it.