How much time will I actually save with Fazm?

Most users report saving 45-90 minutes per day on repetitive tasks. The biggest time savings come from email management (drafting replies, sorting, archiving), form filling (expense reports, CRM updates, applications), research (comparing products, gathering data from multiple sites), and social media (cross-posting, scheduling, replying). For example, booking a flight that normally takes 10 minutes of clicking through airline sites takes a single voice command with Fazm. Filing an expense report that requires opening a PDF, extracting numbers, and entering them into a spreadsheet becomes one spoken sentence. The more repetitive and multi-step your daily work is, the more time you get back.

What exactly can Fazm control?

Fazm controls everything you can do manually on your Mac. That includes mouse movements and clicks, keyboard typing, browser navigation and form filling, app switching, file management in Finder, and system-level actions. It uses direct browser DOM control for web interactions - meaning it reads and manipulates the actual page structure rather than taking screenshots and guessing where to click. For native macOS apps, Fazm uses accessibility APIs to interact with buttons, menus, text fields, and other UI elements. This works across any application: Chrome, Safari, VS Code, Slack, Figma, Terminal, Mail, Calendar, and more.

How is Fazm different from ChatGPT or Claude?

Chatbots like ChatGPT and Claude give you answers in a conversation window. Fazm takes action directly on your computer. When you say 'reply to Sarah's email,' Fazm opens your email app, finds Sarah's message, writes a contextual reply, and sends it. A chatbot would tell you what to write, but you still have to do all the clicking and typing yourself. Fazm moves your mouse, types on your keyboard, clicks buttons, and navigates between apps. It is a computer agent, not a chat assistant.

How does the memory layer work?

Fazm builds a personal knowledge graph by extracting information from your files, browsing history, conversations, and daily activity. Over time, it learns your contacts (names, emails, relationships), accounts and credentials, preferences (formatting, tone, scheduling habits), and frequently used workflows. In your first week, you might say 'Reply to Sarah's email, she's my cofounder, her email is sarah@acme.com.' By week four, you just say 'Reply to Sarah' because Fazm already knows who she is. By week eight, Fazm can draft the reply before you even ask. All of this data stays locally on your Mac - your knowledge graph never leaves your machine or gets sent to any cloud service.

Is Fazm safe? Can it mess up my computer?

Safety is built into every layer of Fazm. You watch every action in real-time on your screen - Fazm moves your mouse and types visibly, so there is nothing hidden. You can stop any action at any point by pressing a keyboard shortcut. Fazm also shows you what it plans to do before executing destructive actions like deleting files or sending emails, giving you a chance to confirm or cancel. Because Fazm is open source, the code is fully auditable on GitHub. There is no hidden behavior, no background processes making changes you cannot see, and no actions that bypass your screen.

What platforms does Fazm support?

Fazm currently supports macOS, running natively on both Apple Silicon (M1, M2, M3, M4) and Intel Macs. It is built with Swift and uses macOS-specific frameworks like ScreenCaptureKit for screen analysis and Accessibility APIs for app control, which is why macOS is the primary platform. Windows and Linux support are on the roadmap but do not have release dates yet. You can also control your Mac remotely from your phone using Fazm Remote, which gives you voice access to your desktop while you are away from your computer.

How does Fazm voice input work?

One keyboard shortcut activates push-to-talk. Hold the key, speak naturally about what you need done, and release. Fazm transcribes your speech locally using on-device models, so there is no network latency for the voice recognition step. You do not need wake words like 'Hey Siri' or 'OK Google' - just press and talk. You can also type commands into the floating toolbar if you prefer text input. Fazm understands natural language, so you do not need to memorize specific commands. Say 'book me a flight to Tokyo next Thursday' or 'find the cheapest AirPods on Amazon' and Fazm figures out the steps.

Does Fazm work in languages other than English?

Yes. Fazm works in any language - English, Russian, Spanish, German, Japanese, and more. You can speak or type in your preferred language and Fazm will understand and act. Some of our most active users run their entire workday in Russian, issuing voice commands to manage Jira tickets, write Slack messages, and navigate internal tools. There is no language setting to configure - just speak or type naturally and Fazm handles it.

Is my data sent to the cloud?

Fazm processes screen analysis and memory entirely on your machine. The personal knowledge graph, file indexing, and screen capture all run locally. The only data that leaves your Mac is the intent - a text description of what you want to accomplish, which is sent to the AI model (Claude or GPT) for action planning. Your actual screen content, file contents, browsing history, and personal knowledge graph never leave your computer. Fazm is also open source, so you can verify exactly what data is transmitted by reading the code on GitHub. For users who need complete air-gapped operation, local model support is planned.

AI Agent Security in 2026 - Lessons from OpenClaw and Why Architecture Matters

Matthew Diakonov·March 18, 2026·11 min read

security privacy openclaw ai-agents architecture

AI Agent Security in 2026 - Lessons from OpenClaw and Why Architecture Matters

The OpenClaw incident was a wake-up call. Not because a security breach happened - those happen constantly - but because of what it revealed about how carelessly the AI agent ecosystem treats user data. If you are evaluating desktop agents or building on top of agent toolchains, the lessons from OpenClaw should inform every architectural decision you make.

What Happened with OpenClaw

OpenClaw launched as an open source desktop agent in early 2026 with a cloud-first architecture. It captured screen data, sent it to remote servers for processing, and returned actions back to the user's machine. The pitch was compelling - a powerful AI assistant that could see your screen and operate any application on your behalf.

The problems started when security researchers discovered that OpenClaw's relay servers were logging full screen captures with minimal encryption and no automatic expiration. Screenshots containing passwords, banking information, private messages, and medical records were sitting on cloud infrastructure with access controls that were, to put it gently, insufficient.

But the screen data logging was just the beginning. The more serious issue was the open port architecture. OpenClaw ran a local service that accepted commands over an exposed network port. This meant that any application - or any attacker on the same network - could send instructions to the agent. Combined with the agent's broad system permissions (accessibility access, screen recording, file system access), this created a remote code execution vector with the privileges of the user's entire desktop.

The scope of the impact was significant. Thousands of users had the agent running on machines that contained sensitive corporate data, personal credentials, and private communications. The full extent of data exposure is still being assessed months later.

How It Was Discovered

A security researcher noticed unusual outbound traffic from their machine while running OpenClaw in a sandboxed environment. The agent was sending screen captures at intervals even when idle - a behavior not documented anywhere in the project's code or documentation. Deeper analysis revealed that the relay protocol had no certificate pinning, making it vulnerable to man-in-the-middle attacks. The open port was discoverable via standard port scanning.

The researcher published a detailed writeup, and within 48 hours the community had identified multiple additional vulnerabilities in the architecture - from unencrypted local storage of screen captures to an authentication bypass in the relay protocol.

The Broader Problem - Agent Toolchain Security

OpenClaw was not an isolated case. It was a symptom of an industry-wide problem. AI agents are being shipped with capabilities that would make any security engineer uncomfortable, wrapped in architectures that prioritize convenience over safety.

The discovery of 12 CVEs across popular agent toolchains in early 2026 confirmed what many suspected - the agent ecosystem has a security debt problem. These vulnerabilities ranged from dependency confusion attacks in agent package managers to prompt injection vectors that could escalate agent permissions.

Permission Models That Do Not Work

Most cloud-based agents operate on an all-or-nothing permission model. You either give the agent full access to your screen, filesystem, and input devices, or you do not use it at all. This is the antithesis of the principle of least privilege.

The problem is compounded by the fact that many agents request permissions at install time and never revisit them. An agent you installed to automate your CRM still has screen recording access when you switch to your banking app. There is no contextual permission model - no way to say "you can see Salesforce but not my email."

Data Exfiltration Is the Real Threat

When people think about AI agent security, they usually think about the agent doing something wrong - clicking the wrong button, deleting a file, sending an email to the wrong person. Those are real risks, but they are not the existential ones.

The existential risk is data exfiltration. A desktop agent that can see your screen can see everything. If that data leaves your machine - whether through the agent's intended cloud processing pipeline, a compromised dependency, or an exploited vulnerability - you have lost control of it permanently. You cannot un-send a screenshot of your password manager.

Supply Chain Attacks on Agent Toolchains

Agent toolchains introduce a new category of supply chain risk. When you install an agent, you are trusting not just the agent developer but every dependency in their stack - the LLM provider, the screen capture library, the action execution framework, the telemetry system. A compromised dependency anywhere in that chain can turn a legitimate agent into a surveillance tool.

This is not theoretical. Multiple agent frameworks in 2026 were found to include telemetry libraries that transmitted screen capture metadata - image dimensions, capture frequency, active application names - to third-party analytics services. Not malicious by intent, but a data leak by design.

A Framework for Evaluating Agent Security

Whether you are choosing a desktop agent for personal use or evaluating one for your team, here is how to think about security systematically.

Local vs Cloud Processing

This is the single most important architectural decision in agent security. Where does your data get processed?

A cloud-processed agent sends your screen data - potentially containing anything visible on your desktop - to remote servers. Even with encryption in transit and at rest, this creates exposure. The data exists outside your control. It is subject to the cloud provider's security posture, their employees' access controls, their data retention policies, and their legal jurisdiction's data access laws.

A local-first agent processes everything on your machine. Your screen captures never leave your hardware. There is no remote server to breach, no data in transit to intercept, no cloud storage to misconfigure. The attack surface is fundamentally smaller.

Permission Granularity

Good agents should request the minimum permissions necessary and provide transparency about what each permission is used for. Look for:

Scoped file access rather than full disk access
Accessibility API access that is bounded to specific applications rather than system-wide
No unnecessary network permissions - an agent that works locally should not need outbound internet access for core functionality
Temporal permissions - the ability to grant access for a session rather than permanently

Audit Trails

Can you see what the agent did? Every action an agent takes should be logged in a way that is accessible to the user. This includes what applications it interacted with, what data it accessed, what commands it executed, and what network requests it made.

Without audit trails, you are trusting the agent blindly. With them, you can verify what the agent is doing and catch problems before they become breaches.

Data Retention Policies

If the agent stores any data - screen captures, action logs, context memory - you need to know where it is stored, for how long, and how it is encrypted. Local storage encrypted with your system keychain is very different from cloud storage encrypted with the provider's keys.

Ask specifically: does the agent store screen captures? For how long? Can I delete them? Are they encrypted at rest? Are they included in backups that leave my machine?

Open Source vs Closed Source

Open source agents allow independent security audits. You can read the code, verify the permissions model, check for telemetry, and confirm that data stays where it is supposed to stay. This is not a guarantee of security - OpenClaw itself was open source - but it is a prerequisite for meaningful security review.

Closed source agents require you to trust the vendor's claims about their security posture. That trust may or may not be warranted, but you have no way to verify it independently.

Human-in-the-Loop as a Security Mechanism

One of the most effective security mechanisms for AI agents is also one of the simplest - requiring human approval for sensitive actions. An agent that asks before sending an email, executing a script, or accessing a new application gives you a chance to catch mistakes and prevent unauthorized actions.

The tradeoff is friction. Every approval prompt slows down the workflow. The best implementations make this tradeoff configurable - strict approval for sensitive operations, autonomous execution for routine tasks. The worst implementations either ask for everything (making the agent unusable) or ask for nothing (making it dangerous).

The key insight is that human-in-the-loop is not just about preventing the agent from doing something dumb. It is a security boundary. An agent that can send arbitrary network requests without approval is an agent that can exfiltrate data without your knowledge.

How Fazm Approaches This

We built Fazm with the OpenClaw-style risks in mind from the start. The architecture reflects a specific set of security decisions:

Local-first processing - Screen data is processed on your machine. No screen captures are sent to the cloud. The LLM inference that requires cloud APIs sends structured text, not raw screen data.
macOS sandbox - Fazm runs within the macOS application sandbox, which restricts file system access, network access, and inter-process communication at the OS level.
Accessibility API permissions - Rather than screen recording (which captures raw pixels), Fazm uses the macOS Accessibility API to read structured UI element data. This is more precise and less invasive than screenshot-based approaches.
No exposed ports - There is no local server, no open port, no network endpoint that could be exploited by other applications or network attackers.
Open source - The entire codebase is available on GitHub. You can audit every line of code, every network request, every data access pattern.

This is not about marketing copy. It is about architectural decisions that structurally eliminate categories of risk rather than promising to manage them through policy.

For more on what AI agents are and how they work, we have written extensively about the underlying technology.

Security Checklist for Evaluating Any AI Agent

Before installing or deploying any AI agent, run through this list:

Data Processing

[ ] Where is screen/input data processed? Local or cloud?
[ ] If cloud, what data is transmitted? Raw screenshots or structured text?
[ ] Is data encrypted in transit and at rest?
[ ] What is the data retention policy? Can you delete your data?

Permissions

[ ] What system permissions does the agent require?
[ ] Are permissions scoped to specific apps/directories or system-wide?
[ ] Can you revoke permissions without uninstalling?
[ ] Does the agent request permissions it does not obviously need?

Network Security

[ ] Does the agent expose any local ports or services?
[ ] What outbound network connections does it make?
[ ] Is certificate pinning used for cloud connections?
[ ] Can the agent function offline for core features?

Transparency

[ ] Is the agent open source? Can you audit the code?
[ ] Is there an audit trail of agent actions?
[ ] Are third-party dependencies documented?
[ ] Has the agent undergone an independent security review?

Control

[ ] Is there human-in-the-loop for sensitive actions?
[ ] Can you configure which actions require approval?
[ ] Can you restrict the agent to specific applications?
[ ] Is there a kill switch to immediately stop the agent?

If an agent fails more than a couple of these checks, think carefully about what you are giving it access to. The productivity gains from AI agents are real, but they are not worth compromising your security posture - or your users' data - for.

The OpenClaw crisis taught the industry that agent security is not optional and not something you bolt on after launch. It is an architectural decision that needs to be made at the foundation. Choose agents that got that decision right from the start.

Fazm is an open source macOS AI agent that processes everything locally. Check it out on GitHub.

AI Agent Security in 2026 - Lessons from OpenClaw and Why Architecture Matters

AI Agent Security in 2026 - Lessons from OpenClaw and Why Architecture Matters

What Happened with OpenClaw

How It Was Discovered

The Broader Problem - Agent Toolchain Security

Permission Models That Do Not Work

Data Exfiltration Is the Real Threat

Supply Chain Attacks on Agent Toolchains

A Framework for Evaluating Agent Security

Local vs Cloud Processing

Permission Granularity

Audit Trails

Data Retention Policies

Open Source vs Closed Source

Human-in-the-Loop as a Security Mechanism

How Fazm Approaches This

Security Checklist for Evaluating Any AI Agent

Related Posts

Why Local-First AI Agents Are the Future of Desktop Automation

Nobody Asks Where MCP Servers Get Their Data

Why the OpenClaw AI Agent Is a Privacy Nightmare