Local AI agent vendor revocation risk is layer-by-layer, not all-or-nothing
Most write-ups treat the word “local” as a verdict on vendor risk. It is not. A desktop agent has at least four layers, and each one carries a different exposure when your LLM provider decides to cut you off. Here is the honest breakdown, with the exact Fazm setting that lets you swap the model endpoint without rebuilding anything.
Does running an AI agent locally protect me from vendor revocation?
Partly. The execution layer (clicks, typing, file ops, shell) is local code on your Mac and is fully vendor-immune. The reasoning layer is whatever your agent calls for the next token; for most “local agents” in 2026 that is still a cloud LLM, which means a revoked key blocks reasoning until you swap the endpoint or model.
The practical mitigation is owning the click-and-type layer and being able to redirect the model call to any Anthropic-compatible endpoint. Fazm does both: the automation engine is Apple's accessibility APIs, and a single text field in Settings > Advanced > AI Chat > Custom API Endpoint writes a URL into the agent subprocess's ANTHROPIC_BASE_URL environment variable. Three lines of Swift, in ACPBridge.swift at lines 468 to 470.
What “vendor revocation” actually means
The phrase covers more ground than a one-time account suspension. On a normal year a working AI workflow can be broken by any of these without warning:
- An automated trust-and-safety review concludes your usage looks like abuse and your account is suspended pending appeal. Anthropic did this to the OpenClaw team in 2025; the pattern repeats across providers every quarter.
- A model your workflow depends on is deprecated on 60 days notice, the API starts returning model not found, and your agent code path breaks until you migrate.
- Rate limits tighten silently during peak hours, your agent loops on retries, and the user experience degrades into a slow hang.
- A region, capability tier, or pricing change cuts off a feature your workflow assumed (long context, vision, tool-use schema).
None of this requires a vendor to be malicious. It just requires you to have built on a single endpoint with no swap path. Calling your agent “local” does not change any of the four scenarios above; it changes which parts of the stack still function while you fix the model dependency.
Layer by layer: what dies, what lives
A desktop agent has at least four layers. Treat each as a separate risk question. Two of them are unaffected by any cloud event. One of them is the entire reason single-vendor agents fail. The fourth is your escape hatch.
Click + type layer
Apple accessibility APIs running on your Mac. Reads the AX tree, finds elements by role and label, sends synthetic clicks and keystrokes. No outbound traffic. Survives any cloud event including total Anthropic outage. This is the core of why 'local agent' means anything at all.
File + shell layer
Local file reads, edits, and shell commands run inside Fazm with your user's permissions. No vendor on this path.
Speech-to-text
WhisperKit on-device. Your microphone audio never leaves the machine and does not depend on a remote provider.
Reasoning layer (default)
Claude family via the Anthropic API. This is the layer that breaks if Anthropic revokes you. Mitigation lives in the next two cards.
Reasoning layer (built-in fallback)
Two access paths to Claude: Fazm's bundled key for the first $10, then your personal Claude OAuth (Pro or Max). Bridge auto-flips on a model-access error. One vendor, two credentials.
Reasoning layer (escape hatch)
Settings > Advanced > AI Chat > Custom API Endpoint writes a URL into ANTHROPIC_BASE_URL for the agent subprocess. Point it at any Anthropic-compatible gateway: corporate proxy, Copilot bridge, local model. No rebuild.
The escape hatch is one text field
The reason this is worth writing about is that the mitigation is not a roadmap item or a developer-only knob. It is a single text field in the Settings UI, wired to one environment variable on the agent subprocess. When you change the URL, the bridge restarts automatically and the next message goes to the new endpoint.
The wiring is small enough to read in one sitting. Setting lives at Desktop/Sources/MainWindow/Pages/SettingsPage.swift:885 as @AppStorage("customApiEndpoint"). The injection happens in Desktop/Sources/Chat/ACPBridge.swift:468-470:
// Custom API endpoint (proxies through Copilot,
// corporate gateways, local model servers, etc.)
if let customEndpoint = defaults.string(forKey: "customApiEndpoint"),
!customEndpoint.isEmpty {
env["ANTHROPIC_BASE_URL"] = customEndpoint
}Anything that speaks the Anthropic message protocol works on the other end: a corporate proxy that re-keys the request, a self-hosted gateway, a local model server with an Anthropic shim, or a third-party provider that implemented the same surface. The agent on your Mac never has to know the difference.
Where the model call actually goes
Three destinations, one variable. If the first one stops accepting your traffic, you flip the variable. The clicks, typing, file ops, and AX-tree reads on the left side of that diagram never change shape regardless of which destination is live.
Screenshot agents vs. accessibility-tree agents under revocation
This part is not obvious until you trace what each architecture actually does on every step. Use the toggle below to see the same workflow under two designs.
Same workflow, different vendor exposure per step
On every step the agent screenshots the screen, sends pixels and an instruction to a vision-capable model, and waits for coordinates and a verb back. Every action is an LLM call. Every LLM call is vendor-exposed. When the vendor goes away, the agent is dead until you can reach an equivalent vision model with comparable accuracy on UI-screenshots.
- 1 LLM call per click, per scroll, per keystroke decision
- Vision capability gates the entire architecture
- Substituting a smaller model degrades all interactions, not just reasoning
What this looks like during an actual revocation
Imagine your Anthropic key is suspended at 2pm on a Tuesday. Here is the actual sequence with Fazm running on your Mac, in the order you would experience it:
- 2:00pm. You ask the agent to refile a row in your CRM. The agent is already moving (open the tab, focus the field, read the current value) before any model call. The first three accessibility actions succeed.
- 2:00pm + 2s. The agent needs to decide which row matches your description and calls the model. The call returns a 401 or authentication_error.
- 2:00pm + 3s. The bridge surfaces the error in the chat. Anything that did not need that model call (your in-progress files, the open browser tabs, the agent UI itself) is unaffected.
- 2:01pm. You open Settings > Advanced > AI Chat. You toggle Custom API Endpoint on and paste your fallback URL. The bridge restarts automatically.
- 2:01pm + 4s. You re-send the message. It goes to the new endpoint. The agent picks up the AX-tree state of the CRM tab where it left off and completes the row.
The total recovery is one toggle, one URL paste, one re-send. None of the work-in-flight on your Mac is lost because the execution layer never touched the vendor.
What you should actually do about this
If you are evaluating a desktop AI agent under any kind of vendor-risk lens, three concrete checks separate honest architecture from marketing:
- Where does the click come from? Read the source. If the answer is “send pixels to a vision model and wait for coordinates,” the architecture is vendor-coupled at the action level. If the answer is “query the accessibility tree,” the action layer is yours.
- Can the model endpoint be changed without a rebuild? A user-facing setting that injects a base URL counts. A hard-coded SDK call does not.
- Is the source readable? You cannot audit either of the above on a closed agent. Open source is the only way to verify the swap path is real and not a marketing slide.
Fazm passes all three by construction: AX engine, customApiEndpoint setting, MIT-licensed source on github.com/m13v/fazm. That does not eliminate vendor revocation risk; it moves the recovery from days to seconds and limits the blast radius to one kind of step in the workflow.
Want to walk through your own vendor-risk surface?
Twenty minutes with the team. Bring whatever you are using today, we will trace which layers you actually own and which ones are one revocation away.
Adjacent reading
Local AI agent fallback model
How the bridge-mode auto-flip works in code, with file-and-line references for the matcher, the catch block, and the auto-retry.
AI agent model provider failover
A two-day pattern for abstracting the model layer in any AI-powered product so you can hot-swap providers under outage.
Accessibility API AI agents vs screenshots
Why a screenshot-based agent is a heavier vendor dependency than an accessibility-tree agent, beyond the obvious latency and accuracy.
Frequently asked questions
If my LLM vendor revokes my account, does a 'local' agent keep working?
Only the parts that don't talk to the vendor. The execution layer (clicks, typing, accessibility-tree reads, file edits, shell commands) is local code on your Mac and is unaffected. The reasoning layer is whatever your agent calls for the next token. If that call is to a cloud LLM the vendor controls, then yes, that call dies the moment your key dies. Most 'local agents' today are local execution plus cloud reasoning. Calling that 'local' is fair, but treating it as vendor-immune is wrong.
What does 'vendor revocation' actually look like in practice?
Three common shapes. One, account suspension after an automated trust-and-safety review (Anthropic suspended the OpenClaw team's account in 2025; similar patterns recur across providers). Two, model deprecation on short notice, where a model your workflow depends on gets removed and the API returns a 'model not found' error. Three, regional or category cutoffs, where a tier of access (rate, region, capability) is silently tightened. None of these require malice. They all break a workflow built on one provider with no swap path.
What does Fazm specifically do to mitigate this?
Three concrete things, none of them magic. First, the agent's automation engine is Apple's accessibility APIs running locally; that part has no vendor at all. Second, the chat layer ships with two access paths to the same Claude family (a bundled Anthropic key with a $10 cap, plus your own Claude OAuth via Pro or Max), and the bridge auto-flips on a model-access error. Third, there is a Custom API Endpoint setting in Settings > Advanced > AI Chat that writes whatever URL you paste into the ANTHROPIC_BASE_URL environment variable for the agent subprocess. You can point it at a corporate proxy, a GitHub Copilot Anthropic-compatible bridge, or a local model server speaking the Anthropic protocol. Source: Desktop/Sources/Chat/ACPBridge.swift lines 468 to 470 and SettingsPage.swift line 885.
Is the Custom API Endpoint a developer-only feature?
No. It is a text field in the Settings UI with a single toggle and an example proxy URL as the placeholder. The bridge restarts automatically when you change it. Nothing to rebuild, no Xcode required, no command line. The use case is exactly the revocation scenario: if the default Anthropic API stops accepting your traffic, you swap the URL and keep going.
Does running the model fully local also remove this risk?
Yes, for the model call. If you serve an Anthropic-protocol-compatible endpoint locally (vLLM with the right shim, an Anthropic-compatible proxy in front of Ollama or llama.cpp, etc.) and point Custom API Endpoint at it, the model dependency moves to a process you own. The trade is capability and speed: a 70B-class local model is not parity with frontier Claude on most agentic workloads in 2026, and Mac inference latency on long contexts is not zero. The right answer is usually a swap path on file, not local-only by default.
Why does Fazm choose accessibility APIs instead of screenshots? How does that change the revocation calculation?
Screenshot-based agents send pixel data plus an instruction to a vision-capable model on every step. Every step is an LLM call, which means every step is vendor-exposed. Accessibility-API agents read the structured AX tree on-device, which means most action steps need no LLM call at all (find element by role, click coordinates from the tree, type text, read response). The LLM is consulted at decision points, not at every interaction. Fewer vendor round-trips means a revocation event blocks fewer behaviors, and a swapped-in slower model still feels usable.
What about the bundled Fazm Anthropic key? Doesn't that put me back on a single vendor?
It puts new users on a single vendor for the first $10 of usage so they can try the product without signing up for an Anthropic account. After the cap, the bridge auto-switches to your own Claude OAuth (which uses your existing Pro or Max subscription). If your personal Claude account is also unavailable, the Custom API Endpoint setting routes you to whatever third-party gateway you trust. The bundled key is a cold-start convenience, not a permanent dependency.
Where can I read the actual source for these claims?
github.com/m13v/fazm. The Custom API Endpoint UI is in Desktop/Sources/MainWindow/Pages/SettingsPage.swift around line 885. The env-var injection that makes it work is in Desktop/Sources/Chat/ACPBridge.swift at lines 468 to 470: if customApiEndpoint is non-empty, env['ANTHROPIC_BASE_URL'] = customEndpoint. The bridge-mode auto-flip on model-access errors is in Desktop/Sources/Providers/ChatProvider.swift around line 2943. If you do not trust the marketing language, read the Swift.
Comments (••)
Leave a comment to see what others are saying.Public and anonymous. No signup.