A Tool to Make a Lawyer’s Work More Efficient
Claude, while not a substitute for a lawyer’s judgment, can make a lawyer’s workflow more efficient and can be used ethically. In a short article posted to X and LinkedIn, Zack Shapiro described how his law firm uses Claude to save time reviewing documents, drafting emails, and doing legal research. Shapiro creates skills, or custom plans, within Claude that evaluate information and carry out tasks based on the instructions that Shapiro has provided. He notes that Claude’s output is not a substitute for his judgment and that the AI tool is not there to practice law. The tool only assists and the attorney will review its output and make all judgment calls. He can use Claude as he practices law to evaluate revised terms of a contract suggested by an opposing party and Claude will flag provisions to concede and provisions to fight for. Claude can do multiple legal research processes simultaneously and check its own work so that the results of its research are verified and no hallucinations are present. He notes that Claude speeds up efficiency in the practice of law, allowing a smaller law firm to evaluate and revise a contract with an opposing party in hours, the same type of work that would take all night for three associates to do. Shapiro mentions how lawyers who use various computerized tools have a duty to maintain the confidentiality of client information while using these tools. Also, he mentions that ethics rules and guidance permit attorneys to use these tools as long as the lawyer is not allowing the generative AI tool to train on the lawyer’s input, the lawyer knows how the tool handles data, and the lawyer records the lawyer’s rationale for making decisions.1 Even with giving those tips about the lawyer’s ethical responsibility, Shapiro does not mention the elephant in the room: the security risk of prompt injections.

Image from Wikimedia Commons
Prompt Injections are a Security Risk
Shortly after Anthropic released Claude Cowork, users discovered that Cowork was vulnerable to prompt injections that take users’ files without their permission.2 Imagine what effect such a prompt injection could have on lawyers who use the tool with confidential client files. A “prompt injection,” also known as a “prompt injection attack” is an attack in which a hacker takes a malicious prompt that is disguised as a legitimate prompt and uses that prompt to get a large language model to release confidential information or provide misinformation, run malicious programs, or infect a user’s contacts with the prompt injection (for example, the case of an attack that goes into effect when the user asks an artificial intelligence assistant to read and summarize an email).3 These prompt injections can affect generative AI systems that edit, move, and create files.4 For example, any AI system that can edit Microsoft Word documents, create new ones, and rearrange them is subject to prompt injection. Currently, there is no solution that can prevent prompt injections altogether, however, there are ways to mitigate the damage that these types of attacks can do.5 For example, limiting the AI system’s or API integration’s access only to files necessary to do its work (which can minimize damage done if a prompt injection occurs), blocking inputs that look like known prompt injections, and requiring humans to ensure outputs are correct and authorize the actions of generative AI systems.6
One Company, Many Arms (pun intended)
Recently, Anthropic, the maker of Claude AI products, lost its contract with the federal government when the Department of War decided not to agree with Anthropic’s guardrails for use of its products: namely the Department of War would not give assurances that the products would not be used for domestic surveillance or autonomous weapons.7 Shortly thereafter, the Department of War designated Anthropic’s products as a supply chain risk,8 a determination typically used for foreign companies and not a company like Anthropic which is based in the United States.9 Anthropic has vowed to fight this determination in court10 and employees at Google and OpenAI have signed a petition in support of Anthropic’s stance.11 Meanwhile, OpenAI appears to have taken Anthropic’s place with its recently announced government contract.12 On March 26, 2026, the United States District Court for the Northern District of California granted Anthropic a preliminary injunction against the federal government’s designation of Anthropic as a supply-chain risk.13 Nathan E. Sanders notes that Anthropic is branding itself as a “moral” company by taking its stance and that in the United States Anthropic has the freedom to take its stance and the Department of War has the freedom to choose with whom to contract yet questions the Department of War’s rationale for labelling Anthropic a supply chain risk. He asserts that both private companies and the government act in their own interests. 14 there is an issue that hits closer to home for those who teach legal research and the law students who become lawyers who use generative AI systems to do legal research and make their practice of law more efficient. That issue is whether lawyers are comfortable with using products that help them do legal research being provided by the same companies that have contracts to gather and provide information such as cell-phone records, data from license plate readers, utility records, credit reports, etc. to government agencies.15 Or, in the case of companies that provide generative AI systems that make a lawyer’s work more efficient, are the lawyers comfortable with the same companies contracting with the Department of War to provide services? The issue represents how information and information services are being consolidated into fewer and fewer hands which raises issues of: How does that consolidation affect the information I receive? How does that consolidation affect the information that I leave in the generative AI system when I use one of these products? At least from an anecdotal standpoint, in Advanced Legal Research class discussions on providers of legal information services, students have said that they did not think that companies that own the subscription databases that they use for legal research should contract with government agencies to provide the dossier information I mentioned above.16 Why does it matter? Because users of legal information products may be unsure of where their information is going. When using any legal information product or generative AI system, there are many considerations such as ethical issues and security risks. All these considerations present judgment calls for users and potential users of these products.
References- Zack Shapiro, The Claude-Native Law Firm, LinkedIn (Feb. 27, 2026), https://www.linkedin.com/pulse/claude-native-law-firm-zack-shapiro-qf7se [https://tinyurl.com/nhhz77yh].[↩]
- Matthias Bastian, Claude Cowork hit with file-stealing prompt injection days after Anthropic’s launch, the decoder (Jan. 17, 2026), https://the-decoder.com/claude-cowork-hit-with-file-stealing-prompt-injection-days-after-anthropics-launch/ [https://tinyurl.com/mwrf4yzh] and Prompt Armor Threat Intel Team, Claude Cowork Exfiltrates Files (no date), https://www.promptarmor.com/resources/claude-cowork-exfiltrates-files [https://tinyurl.com/4rcvha29].[↩]
- Matthew Kosinski & Amber Forrest, What Is a Prompt Injection Attack? IBM, (Mar. 26, 2024), https://www.ibm.com/think/topics/prompt-injection [https://tinyurl.com/muavjsud].[↩]
- Id.[↩]
- Id.[↩]
- Id.[↩]
- Dario Amodei, Where things stand with the Department of War (Mar. 5, 2026), https://www.anthropic.com/news/where-stand-department-war [https://tinyurl.com/4eujnz5z] and Associated Press, Pentagon Labels AI Company Anthropic a Supply Chain Risk, NPR, Mar. 6, 2026, https://www.npr.org/2026/03/06/g-s1-112713/pentagon-labels-ai-company-anthropic-a-supply-chain-risk [https://tinyurl.com/zyrp45d7].[↩]
- Amodei, supra note 7 and Associated Press, supra note 7.[↩]
- Associated Press, supra note 7.[↩]
- Amodei, supra note 7 and Mariella Moon, Anthropic Says It Will Challenge Defense Department’s Supply Chain Risk Designation in Court, Engadget (Mar. 6, 2026), https://www.engadget.com/ai/anthropic-says-it-will-challenge-defense-departments-supply-chain-risk-designation-in-court-054459618.html [https://tinyurl.com/msu8395y].[↩]
- Open Letter: We Will Not Be Divided, Current and Former Employees of Google and OpenAI, (2026), https://notdivided.org/ [https://tinyurl.com/3rcbydfb].[↩]
- Associated Press, supra note 7.[↩]
- While Anthropic’s stance and the Department of War’s methods for choosing which products to use in accomplishing its goals are well beyond the scope of this blog post,((Order Granting Motion for Preliminary Injunction, Anthropic PBC v. U.S. Department of War et al., (March 26, 2026) (No. 26-cv-01996-RFL).[↩]
- Nathan E. Sanders, Anthropic and the Pentagon (March 6, 2026), Schneier on Security, https://www.schneier.com/blog/archives/2026/03/anthropic-and-the-pentagon.html [https://tinyurl.com/yubu23w4].[↩]
- Latia Ward, Information Hegemony, Transcending Positivism, and Applying Critical Legal Information Literacy Concepts in the Legal Research Classroom and Beyond, 10 J. of Radical Librarianship, 36, 43-44 (2024), https://www.journal.radicallibrarianship.org/index.php/journal/article/download/99/90 [https://tinyurl.com/4hvahdta].[↩]
- I teach Advanced Legal Research and these discussions have occurred in the context of discussing assigned readings from Data Cartels: The Companies that Control and Monopolize Our Information by Sarah Lamdan.[↩]