Windows Announces “Experimental Agentic Features,” Admits Potential for Prompt Injection and Malware

Windows will be getting a new feature called Copilot Actions that will allow Copilot to perform actions on behalf of the user by interacting with local files and applications.

The agents will use a separate, contained environment called an ”Agent Workspace,” effectively acting “like a separate desktop instance just for Copilot.” Some example use cases they give are sorting through your files, converting files, and extracting data from PDFs.

They say they are starting out with a narrow set of use cases “while we optimize model performance and learn.”

Microsoft assures us that they’re taking security seriously with this feature and trying to isolate and give the agents minimal privileges, but there will always be potential for the agents to do something you don’t want them to, as they themselves admit:

Additionally, agentic AI applications introduce novel security risks, such as cross-prompt injection (XPIA), where malicious content embedded in UI elements or documents can override agent instructions, leading to unintended actions like data exfiltration or malware installation.

This all might bring flashbacks of Windows Recall, a feature that Windows assured us was very secure. While it’s admirable to put so much effort into securing new features, in the end it will always be less secure to have it than to not have it.