Computer use agent security is an operating-system question, not a model question

On macOS, a local computer use agent can only do what TCC (Transparency, Consent, Control) lets it do. Read its entitlements file and the permissions it requests in System Settings; those two artifacts define its blast radius on your machine. A cloud computer use agent (Anthropic Computer Use, OpenAI Operator, Google's browser agents) trades that local OS enforcement for a remote VM sandbox, plus a network round-trip that carries your screen and prompts off your machine on every action. Different threat models, different things to verify. Neither is automatically safer; both are auditable if you know what to look at.

Four keys, no more. com.apple.security.app-sandbox is false (the agent is not sandboxed because the macOS sandbox prevents accessibility-API use against other processes). com.apple.security.automation.apple-events is true (the agent can send Apple Events to other apps, gated by per-target user prompts). com.apple.security.device.audio-input is true (microphone, used for voice control via WhisperKit). com.apple.security.device.screen-capture is true (screen recording, used for the rare visual fallback when an app has no accessibility tree). com.apple.security.get-task-allow is absent in release, which means a debugger cannot attach to the running app. The file lives at Desktop/Fazm-Release.entitlements in the open-source repo.

Apple's app sandbox prevents an app from reading other apps' processes via the accessibility API. So any agent whose job is to read what is on screen and click buttons in other apps must run unsandboxed; this includes Fazm and every credible local computer use agent on macOS. The mitigation that replaces sandbox is TCC: every sensitive capability (accessibility, screen recording, microphone, automation) requires an explicit user-granted permission that you can revoke in System Settings at any time. The trade-off is real, but unsandboxed plus explicit per-capability TCC grants is the model the OS gives you for this product class. There is not a third option.

AXIsProcessTrusted (and AXIsProcessTrustedWithOptions) is the Apple-provided way for an app to ask 'do I have accessibility permission'. It returns a boolean. The known failure mode, present on macOS 15 and 26, is that the result is cached inside the process: after a macOS update or app re-sign, the cache can stay 'granted' even though real AX calls fail with kAXErrorAPIDisabled or kAXErrorCannotComplete. Fazm's AppState.swift handles this by ALSO probing CGEvent.tapCreate (which checks the live TCC database, not the cached value), and if AXIsProcessTrusted returns true but the event tap creation fails, it logs a stale-cache detection and shows a restart alert after three retries spaced five seconds apart.

On macOS, only the ones it has TCC access to. Fazm has accessibility, screen recording, and microphone, plus Apple Events scoped per-target app. It does NOT have Full Disk Access (you have to grant that separately, and Fazm does not request it during onboarding). It cannot read the Library/Mail directory, the Messages database, or contents of System Settings. If you want to know whether a particular agent has Full Disk Access, look in System Settings -> Privacy and Security -> Full Disk Access; if its name is there with the toggle on, it does. If not, the OS will hard-stop reads.

Prompt injection is a real attack class: a webpage or document contains hidden text that instructs the agent to exfiltrate data, send a message, or click a destructive button. The mitigations are not new and they are not specific to a single product. Keep the agent on a model you trust. Run it locally so the prompts and screens are not also leaving your machine. Read the agent's tool definitions; the smaller the toolbox the smaller the attack surface. Use ask-confirmation prompts for irreversible actions (send email, delete file, run shell command). Fazm's chat tool list is enumerated in Desktop/Sources/Providers/ChatToolExecutor.swift; an audit of which tools exist is one file read.

Cloud agent: every action loop sends a screenshot (sometimes accompanied by a structured DOM) to a remote model, the model returns a tool call, the harness executes it. Your screen, your inputs, and the model's reasoning all transit the network on every step. Latency: one to several seconds per action. Local agent like Fazm: the accessibility tree is read on your Mac via AXUIElementCopyAttributeValue, the diff is computed on your Mac, only the structured delta and your prompt go to the model API (or to a local model, if you pointed Fazm at one via its custom-API-endpoint setting). Latency: tens to hundreds of milliseconds per action, plus the model call. Two completely different data-flow shapes.

Five things to check. (1) Is it open source, so you can read the tools and the prompts. (2) Read its entitlements file (in the .app bundle at Contents/Info.plist or in the source repo). Count the keys. Each key is a capability you are about to grant. (3) Look at which TCC pane it asks for during onboarding. Accessibility plus Screen Recording plus Microphone is the floor for a useful agent; Full Disk Access is a step up that you should weigh hard. (4) Check the network destinations the agent talks to (Little Snitch, Lulu, or just look at the source). A local-first agent should not be calling out to ten domains. (5) Check whether its model endpoint is configurable, so you can route through your own proxy or a local model if you want.

By default, the structured accessibility-tree delta from the macos-use MCP server (lines, roles, text, in_viewport flags), plus the user's prompt, plus the chat history. Not the screen pixels. Screenshots are only captured when the agent invokes capture_screenshot, which is a tool the model has to actively decide to use (the system prompt steers it toward macos-use tools first, with screenshots as the fallback for apps without an accessibility tree). If you are running through Anthropic, this matters because it scopes what your data-handling agreement covers; the logs will show structured JSON, not images.

The agent cannot grant itself new TCC permissions; only you can do that, in System Settings, with your local password. The agent can do anything the existing permissions allow: click a Finder button to drag a file to the Trash, type a Terminal command, send an Apple Event to Mail. So 'silent' depends on whether you wired it up to confirm destructive actions. Keep destructive shell commands behind a confirmation. Most local agents (Fazm, mcp-server-macos-use, the Claude Code CLI) do this for shell commands by default. Software Update, install of new system extensions, kernel-level access — none of these are reachable through accessibility or Apple Events.