How to set up Claude’s desktop app to build local agents — start to finish
Before we start: this walkthrough opens with a security step that most “how to use Claude” guides skip. We do it first on purpose. If you’ve ever copied a SKILL.md from a GitHub repo or pasted a “Claude agent prompt” from a blog post into your project, you’ve added an instruction file your agent follows — sight unseen. Snyk’s ToxicSkills audit (Feb 2026) scanned ~4,000 marketplace skills and found more than a third carry at least one security flaw, and 1 in 8 hit critical severity; prompt injection turns up in 9 of 10 of the confirmed-malicious ones. You wouldn’t chmod +x a random stranger’s script. We shouldn’t drop a stranger’s SKILL.md into our Claude folder without checking it either.
That’s the operating frame for the rest of this piece. We’re not just learning a tool — we’re picking up habits for a category that’s a few months old and where supply chains aren’t yet a solved problem.
What you need before you start
- A Claude Max subscription (the desktop app’s local agent features need it)
- The Claude desktop app installed (macOS or Windows; download from claude.ai/download)
- A folder on your machine where you want to keep your Claude projects — anywhere, mine is
~/Claude/but it doesn’t matter
That’s it. No CLI install, no GitHub account, no Anthropic API key.
Step 1 — Install the desktop app and open Claude Code mode
Open the desktop app and look at the mode selector. You’ll see at least two modes for working with projects:
- Cowork mode — the higher-level interface with a richer chat UI. Great once you know what you’re doing.
- Claude Code mode — a more traditional terminal-feeling interface inside the desktop app. Despite the name, you don’t need to be a CLI engineer to use it.
Start with Claude Code mode for your first agent. It feels chaotic to acclimate to if you start with Cowork — there’s a lot happening on screen, and the “what is this thing even doing right now” question takes longer to answer. Claude Code mode shows you the file reads, tool calls, and edits in a single linear stream that’s easier to read while you’re learning the model.
You can switch later. Most people I know who run agents day-to-day go back and forth depending on the task.
Step 2 — Set up a project folder
Pick a directory. From inside Claude Code mode, point the app at it. The simplest test: ask Claude “what’s in this folder?” — if it lists your contents, you’re set.
A typical layout I use for any new project:
my-project/
CLAUDE.md ← the operating model (we'll create this)
.claude/skills/ ← drop in seed files here
inbox/ ← throw stuff to be processed
session_log.md ← Claude appends to this as we work
decisions.md ← Claude logs decisions hereYou don’t need to create all of those right now. We’ll let the agent create them.
Step 3 — Run the prompt-injection-finder seed
This is the step most guides skip. Don’t skip it.
The prompt-injection-finder is a markdown file that, when added to your .claude/skills/ directory, gives Claude the ability to scan other instruction files for suspicious content. Get it from Probata’s public library and drop it in .claude/skills/.
A word on how to run it safely — because the irony of a scanner is that reading a malicious file is exactly how it tries to hijack the reader. The seed is built so it can’t be turned against you (it pattern-matches first, treats everything it reads as data rather than instructions, and never runs anything it finds), but the habits matter too: keep skills you’re checking in a holding folder, not your live .claude/skills/, and don’t do this in a session with your bank logged in or your secrets loaded. The two-page version is Probata’s safe-audit guide and environment-hardening checklist — worth the five minutes before your first scan.
Then, in Claude Code mode, ask:
“Use the prompt-injection-finder skill to scan the skill files in ~/skill-quarantine/ (and anywhere else I’ve downloaded Claude skills or seed files in the past).”
You’ll get back a structured report. Verdicts come in three tiers:
- ✅ CLEAR — no suspicious content found
- ⚠️ REVIEW — ambiguous patterns; read the flagged lines and decide
- ❌ DO NOT USE — direct override attempts, exfiltration instructions, destructive commands
What a Tier 1 finding actually looks like: a line that reads like ordinary documentation until you look closely — say, an instruction telling Claude to ignore the user’s file-destination preferences “under certain conditions,” or a base64 blob that decodes to a curl of your .env to an unknown domain. Those don’t get fixed. They get deleted. Run the scan and see what’s in your own folder — that first-hand number is more convincing than any stat I could quote you.
Step 4 — Drop in the cofounder-agent-builder seed
Now we’re building the actual agent.
The cofounder-agent-builder is a different kind of seed. It doesn’t do a job — it builds an agent that does a job. Drop the file in .claude/skills/, then in Claude Code mode:
“Use the cofounder-agent-builder skill to set up a cofounder for [your domain].”
Fill in the bracket with what you actually want help with. Examples:
- “managing my AI-equities portfolio”
- “shipping my indie SaaS”
- “running my newsletter”
- “training for a marathon while juggling kids”
- “planning my move to Lisbon”
The seed conducts an interview. It asks about:
- The domain in one sentence
- The 2-4 constrained resources the cofounder is helping allocate
- The binding constraint right now
- What the cofounder should not do
- Cadence — how often you’ll actually open the project
- Existing artifacts you already have
- The first thing you’d want the cofounder to do tomorrow
Don’t rush. The quality of the answers determines whether the resulting agent feels like a thinking partner or a glorified chat bookmark. Two questions are doing heavy lifting:
- #2 (constrained resources) anchors the whole operating model. Most failed agent projects fail because there are no constrained resources — the agent is just “answer questions about X,” which any chat can do.
- #4 (what the cofounder doesn’t do) is the difference between a useful collaborator and one that overreaches. Be explicit about lines the agent should not cross.
When the interview’s done, the seed generates a CLAUDE.md file (the operating model), a folder structure, and starter artifacts. It shows you a tree of what it wrote.
Step 5 — Run your first real session
Close that conversation. Open a fresh one. Use this exact prompt:
“Read CLAUDE.md and the most recent session_log entry. Then [your first-session ritual].”
The first-session ritual is whatever you answered in interview question #7 — the first thing you’d want the cofounder to do.
What changed: the agent now operates from a role, not from a blank slate. It knows what you’re trying to do, what resources it’s allocating, what’s out of bounds. It pushes back when you try to allocate during family hours or size a position too small to matter. It writes to session_log.md as you work, so the next session picks up where this one left off.
This is the moment most people notice the difference between “using Claude” and “having a Claude cofounder.” It’s not a different model. It’s a different project.
Step 6 (optional but recommended) — Run the context-builder seed if you have a business
If your domain is a business — indie SaaS, newsletter, side product, agency — drop in the context-builder seed and run it.
“Use the context-builder skill to build a context.md for my business.”
It walks you through 17 questions: product, customer, wedge, pricing, MRR, churn, top risks, what’s working you don’t want to mess with. Output is a single context.md file your cofounder agent (and any future agents you spin up — marketing, support, analytics) all reference at session start.
You stop re-explaining your business at the top of every chat. The agents start from the same shared baseline.
A note on what you just built
The setup is intentionally simple. CLAUDE.md + a few seed files + a folder. There’s no SaaS to subscribe to between you and Claude. No proprietary platform you’re locked into. The whole thing is markdown files in your filesystem.
That’s also why we started with the security scan. The supply chain for instruction files is plain old internet downloads — GitHub repos, Reddit comments, blog posts. Some of it is careful work from people who know what they’re doing; some of it carries injection content, by accident or on purpose. You can’t tell which by looking at the source’s reputation. The only thing that separates “safe to trust” from “delete it” is an audit, not a vibe. That’s the habit this whole walkthrough is trying to install.
Where to go from here
- More seeds: Probata’s public library ships a small set of curated, reviewed seeds for common indie-operator workflows. Free.
- Member tier ($9/mo): automated personalized seed requests — describe the agent you want, get a vetted seed back, asynchronously. New drops every couple of weeks.
- Premium tier ($19-29/mo): income-generating seeds — full programmatic-SEO pipelines, indie SaaS billing-stack seeds, the agent-building infrastructure I use myself. Seeds you use to build the muse that pays for the seeds. Recursive.
The free library is enough to get most people started. Take it as far as it goes; subscribe only if you find yourself wanting more of the same.
Final caveat
Local agents are a new shape, and the patterns I’m using here will look quaint in six months. The folder layout will probably consolidate. Anthropic’s official skill marketplace (the /plugin Discover directory; live in beta since October 2025) will absorb some of what we’re doing as third-party tooling. The security audit step might get baked into the desktop app itself.
Until that happens, the audit step is on us. So is the curation step. That’s what we’re working on.