MCP and Context Awareness: How Desktop AI Agents Know What Is on Your Screen
The biggest limitation of AI agents is not intelligence. It is awareness. An agent that cannot see your screen, read your open tabs, or understand which app is in focus is working blind. Model Context Protocol (MCP) is the standard that solves this. Here is how it works and why it matters for desktop automation.
1. What Is MCP and Why It Matters
Model Context Protocol (MCP) is an open standard, originally developed by Anthropic, that defines how AI models communicate with external tools and data sources. Think of it as a universal adapter between an AI agent and the outside world. Before MCP, every tool integration was custom. Each agent had its own way of calling APIs, reading files, or interacting with services. MCP standardized this into a single protocol.
The protocol works on a simple client-server model. The AI agent (client) connects to MCP servers, each of which exposes a set of tools and resources. A tool is something the agent can call - like running a database query or clicking a button. A resource is something the agent can read - like a file, a web page, or the current state of a UI element.
Why it matters: Without MCP, an AI agent is a brain without a body. It can think and generate text, but it cannot do anything. MCP gives agents the ability to take actions and perceive their environment. For desktop agents specifically, MCP is what turns a chatbot into something that can actually operate your computer.
The adoption has been fast. Claude Code, Claude Desktop, Cursor, Windsurf, and dozens of other tools now support MCP natively. The ecosystem of available MCP servers has grown from a handful to hundreds, covering everything from GitHub and Slack to browser control and filesystem access.
2. How MCP Servers Work
An MCP server is a lightweight process that sits between the AI agent and some external capability. It registers a set of tools with descriptions, input schemas, and output formats. When the agent decides it needs to use a tool, it sends a structured request to the server, and the server executes the action and returns the result.
The communication happens over standard transport protocols - typically stdio (for local servers) or HTTP with server-sent events (for remote servers). This means MCP servers can run locally on your machine alongside the agent, or they can be hosted services that the agent connects to over the network.
# Example: MCP server configuration in Claude Code
{
"mcpServers": {
"filesystem": {
"command": "npx",
"args": ["@modelcontextprotocol/server-filesystem", "/home/user/projects"]
},
"github": {
"command": "npx",
"args": ["@modelcontextprotocol/server-github"]
},
"desktop": {
"command": "fazm",
"args": ["--mcp"]
}
}
}
Each server declares its capabilities on startup. The agent discovers what tools are available, reads their descriptions, and decides when to use them based on the task at hand. This is what makes MCP composable - you can add a new capability to your agent just by configuring a new server. No code changes to the agent itself.
The protocol also handles tool schemas, which tell the agent exactly what parameters each tool expects and what it returns. This lets the agent call tools correctly without trial and error. A well-described tool in MCP is one the agent can use reliably on the first attempt.
3. Types of MCP Servers
MCP servers fall into several categories based on what they provide access to. Understanding these categories helps you build the right context stack for your agent.
| Category | Examples | What They Provide | Awareness Type |
|---|---|---|---|
| Browser | Playwright MCP, Puppeteer MCP | Navigate, click, type, read web pages | Web content awareness |
| Desktop | Fazm, macOS accessibility servers | Control any app, read screen elements, click buttons | Full desktop awareness |
| API / SaaS | GitHub, Slack, Linear, Sentry MCPs | Read and write data in cloud services | Service-level awareness |
| Data | Postgres, SQLite, filesystem MCPs | Query databases, read/write files | Data awareness |
| System | Process monitor, network, clipboard MCPs | Read system state, running processes, network info | Environment awareness |
The most powerful agent configurations compose multiple server types. A coding agent with filesystem, GitHub, and database MCP servers can independently investigate and fix a production bug. Add a desktop MCP server and it can also check monitoring dashboards, read Slack messages about the incident, and update the status page.
Browser MCP servers like Playwright are good for web-specific tasks, but they only work within the browser. Desktop MCP servers go further because they can interact with any application, not just web pages. They use operating system accessibility APIs to read UI elements, click buttons, fill forms, and navigate between apps.
Fazm falls into the desktop category. It operates as a macOS MCP server that provides full desktop awareness through the accessibility API. The agent can see the complete UI tree of any app, understand what is on screen, and take actions across the entire desktop environment. This is a fundamentally different level of context compared to a browser-only server.
4. The Awareness Problem
The core challenge with AI desktop agents is deceptively simple: the agent needs to know what is happening on the screen. This sounds trivial, but it is the hardest part of building a reliable desktop agent.
There are two main approaches to giving agents screen awareness:
| Approach | How It Works | Pros | Cons |
|---|---|---|---|
| Screenshot + Vision | Take a screenshot, send it to a vision model to interpret | Works with any app, captures visual layout | Slow, expensive, unreliable for precise interactions |
| Accessibility Tree | Read the OS accessibility API to get structured UI elements | Fast, precise, structured data, reliable targeting | Requires apps to implement accessibility correctly |
Early desktop agents relied heavily on screenshots and vision models. The agent would take a screenshot, send it to GPT-4V or Claude, and ask "what do you see?" This works for simple cases but breaks down quickly. Vision models hallucinate UI elements, misread text, and cannot precisely locate click targets. A button that looks like it is at coordinates (450, 320) in the screenshot might actually be at (455, 318) on screen, causing the click to miss.
The accessibility tree approach is far more reliable. Every macOS app exposes a structured tree of UI elements through the accessibility API. Each element has a role (button, text field, menu item), a label, exact coordinates, and its current state (enabled, focused, selected). An agent reading this tree knows exactly what is on screen, where every interactive element is, and what actions are available.
The best approach combines both. Use the accessibility tree as the primary source of truth for element positions and state. Use screenshots for visual verification when the tree alone is ambiguous, like distinguishing between visually similar elements or confirming that an action produced the expected visual result.
This hybrid approach is what makes modern desktop MCP servers reliable enough for production use. The agent reads the accessibility tree to understand the UI structure, takes targeted screenshots only when visual confirmation is needed, and uses precise coordinates from the tree for all interactions.
5. Building Context-Aware Agents
Context awareness is not just about seeing the screen. A truly context-aware agent understands the full environment it is operating in. That includes:
- Active application state - which app is in the foreground, what document is open, where the cursor is, what text is selected
- System context - what other apps are running, system notifications, clipboard contents, recent file changes
- Temporal context - what happened before the current moment, what the user was doing 5 minutes ago, the sequence of actions that led to the current state
- User intent - inferring what the user is trying to accomplish based on their current context, not just their explicit instruction
- Cross-app relationships - understanding that the email you are reading relates to the Jira ticket that is open in another tab, which maps to the pull request in your browser
MCP makes it possible to build this multi-layered awareness because each layer can be a separate server. A filesystem server provides file context. A desktop server provides UI context. A calendar server provides scheduling context. The agent composites these into a unified understanding of the environment.
The practical challenge is information overload. A full accessibility tree for a complex app like a web browser can contain thousands of elements. Sending all of that to the language model on every interaction is expensive and slow. Good MCP servers solve this with intelligent filtering, only surfacing the elements that are relevant to the current task.
Fazm approaches this by providing a structured view of the desktop that highlights interactive elements, visible text, and current state without flooding the agent with every node in the UI tree. The agent gets enough context to understand and act, without being overwhelmed by irrelevant detail.
For developers building their own MCP servers, the key lesson is: context quality beats context quantity. An agent with 50 well-curated context signals will outperform one with 5,000 raw data points. Filter aggressively, structure clearly, and include metadata that helps the agent understand relevance.
6. Security Considerations
Giving an AI agent access to your desktop is a meaningful security decision. An MCP server with desktop access can read sensitive information on screen, interact with authenticated sessions, and take actions with real consequences. This demands careful thought about what you are granting access to and how.
| Risk | Mitigation | Implementation |
|---|---|---|
| Sensitive data exposure | Scope access to specific apps | Allowlist which apps the agent can interact with |
| Unintended actions | Human-in-the-loop for destructive ops | Require confirmation for deletes, sends, and purchases |
| Data exfiltration | Local-first processing | Run MCP servers locally, minimize data sent to cloud |
| Prompt injection via UI | Sanitize accessibility tree output | Strip or escape untrusted text from UI element labels |
| Session hijacking | Separate agent browser profiles | Isolated browsing contexts for agent tasks |
The most important security principle for MCP desktop agents is the principle of least privilege. The agent should have access to exactly what it needs for the current task and nothing more. This means configuring MCP servers with explicit scopes and permissions, not giving blanket desktop access.
Open-source MCP servers have a significant trust advantage here. You can read every line of code, audit what data is being accessed, and verify that nothing is being sent to unauthorized endpoints. Closed- source desktop agents that ask for accessibility permissions are effectively asking you to trust them with everything on your screen.
A practical security setup for desktop agents: run MCP servers locally, use app allowlists, require human confirmation for any action that sends data externally or makes irreversible changes, and audit the accessibility tree output periodically to confirm the agent is only reading what you expect.
7. Where MCP and Desktop Awareness Are Headed
MCP is still young. The specification continues to evolve, and the ecosystem of servers is growing rapidly. Several trends are clear:
- Composable agent stacks - Instead of monolithic agents that try to do everything, the future is lightweight agents that compose multiple MCP servers dynamically based on the task. Need to debug a production issue? The agent connects to Sentry, GitHub, and database servers. Need to process emails? It connects to Gmail and CRM servers.
- Proactive awareness - Current agents are reactive. You tell them what to do. Next-generation agents will monitor context continuously and surface relevant information or take actions before you ask. An agent that notices a Sentry alert, investigates the root cause, and drafts a fix before you open your laptop.
- Cross-platform MCP - Today most desktop MCP servers are macOS-specific because Apple's accessibility API is the most mature. Windows and Linux support is growing as projects build accessibility bridges for those platforms.
- Standardized permissions - The MCP spec will likely add formal permission scoping, letting users grant granular access (read-only for this app, full control for that one) through the protocol itself rather than relying on each server's custom implementation.
- Persistent context - Agents that remember previous sessions, learn your preferences, and build up a model of your workflow over time. This requires solving the memory and context persistence problem within the MCP framework.
The endgame is an AI agent that has genuine environmental awareness comparable to a human assistant sitting next to you. It can see your screen, understand your context, anticipate your needs, and take action across any application. MCP is the infrastructure layer that makes this possible.
For developers and teams evaluating this space, the practical advice is to start building on MCP now. The protocol is stable enough for production use, the ecosystem is large enough to be useful, and the skills you develop orchestrating MCP-based agents will compound as the tools improve.
Give your AI agents full desktop awareness
Fazm is an open-source macOS MCP server that provides desktop context through accessibility APIs. Your AI agents can see, understand, and interact with any app on your Mac. Free, MIT licensed, runs locally.
View on GitHub