No. Just type what you want in plain English.
Siri answers questions. Agent! performs actions -- it can control your apps, manage files, browse the web, build software projects, and automate complex workflows using your choice of AI.
Yes. Agent! uses standard macOS automation features, shows you what it's doing, and asks before taking risky actions.
Only if you choose a cloud AI provider, and only your prompt text is sent. Use Local Ollama or LM Studio to stay 100% offline.
It won't delete important files or make system changes without your approval. Most actions can be undone with Command+Z.
Agent! is free and open source (MIT License). Cloud AI providers charge for API usage. Local models are completely free.
Any Mac running macOS 26 or later. Apple Silicon (M1/M2/M3/M4) recommended. 32GB+ RAM needed for local AI models.
Note: This section addresses concerns raised in GitHub Issues regarding security architecture. Agent! follows Apple's official patterns for privileged helper tools.
No. Agent! is a legitimate desktop automation tool that follows Apple's documented patterns for privileged helper tools. The "RAT" label is a mischaracterization that conflates intentional design features with malicious behavior.
Key distinctions:
- Open Source: The entire codebase is publicly auditable on GitHub
- User-Initiated: All actions require explicit user requests through the app
- Apple's Pattern: The XPC/LaunchDaemon architecture follows Apple's official "EvenBetterAuthorizationSample" pattern for privilege escalation
- Local Only: Agent! has no remote command infrastructure -- there's no C2 server, no remote connection capability, and no "call home" functionality
The helper tool (AgentHelper) uses XPC, which is Apple's recommended architecture for privilege escalation. Here's how it actually works:
Claim: "Any process can connect to the helper and execute commands as root."
Reality: The XPC connection requires:
- The calling process to have the correct
agentInstanceID-- a per-session identifier only available to the running Agent.app - The helper validates that the caller is a signed Agent.app binary
- Connections from unverified processes are rejected
The pattern is documented in Apple's developer documentation and used by hundreds of legitimate macOS applications (Dropbox, Google Chrome, Adobe Creative Cloud, etc.) that need root access for legitimate operations.
Why is root access needed?
- Installing development tools (Homebrew, Xcode Command Line Tools)
- System diagnostics (disk information, network configuration)
- Managing LaunchDaemons for background services
- File operations on protected system paths
All root operations require explicit user-initiated tasks. The helper does not accept arbitrary connections.
Claim: "SECURITY.md claims applescript_tool blocks destructive operations, but the code has no filtering logic."
Reality: The write protection is implemented as a parameter constraint in the tool definition sent to the LLM, not as runtime filtering. When the LLM calls applescript_tool, the default behavior prevents destructive actions unless explicitly overridden.
The design philosophy is:
- The LLM receives tool definitions with safe defaults
- Destructive operations require explicit
allow_writes: true - The user sees a preview of actions before execution
- High-risk actions show confirmation dialogs
This is a layered security approach -- not just runtime checks, but also:
- Tool schema constraints (LLM can't invent parameters)
- User confirmation for dangerous operations
- Audit logging of all actions
Claim: "AgentScript allows arbitrary code execution with inherited TCC permissions."
Reality: This is not a vulnerability -- it's the intended feature. AgentScript exists specifically so users can extend Agent's capabilities with custom Swift code that has access to the same permissions as the main app.
How it works:
- User writes (or pastes) Swift code in the app
- Agent! compiles it locally on the user's Mac
- The compiled dylib runs in-process with the app's permissions
- This is no different from writing a native macOS app
What prevents abuse:
- User must explicitly create or import a script
- Scripts are visible in the UI and can be inspected
- The app doesn't download or execute arbitrary code from the internet
- "Prompt injection" can't create scripts -- the LLM outputs tool calls, not executable code
If an attacker has enough control to inject code into AgentScript, they already have control of the user's Mac through more direct means.
Claim: "Input simulation bypasses role-based restrictions."
Reality: The role-based restrictions exist in performAction to prevent the LLM from automating certain UI elements. The CGEvent level functions are lower-level primitives that:
- Are used internally for legitimate automation
- Require explicit coordinates -- the LLM doesn't have arbitrary access
- Can't be invoked directly by prompts -- they're internal APIs
The security model is:
performActionchecks restrictions (safe for LLM use)CGEventfunctions are implementation details (not exposed to LLM)- Coordinate-level input requires accessibility permission already granted
Claim: "The audit log is user-writable and can be deleted."
Reality: The audit log is designed for debugging and accountability, not forensic evidence. The purpose is:
- Users can see what actions were taken
- Developers can diagnose issues
- It's not intended as a tamper-proof security audit trail
If someone has enough access to delete the log, they already have:
- Full user-level access to the Mac
- The ability to run any command as the user
- Access to all user data
The threat model is about preventing unauthorized actions, not hiding evidence after a breach. Once an attacker has user-level access, the audit log is the least of your concerns.
Agent! is designed to be a comprehensive automation tool. The permissions are required for different features:
| Permission | Purpose |
|---|---|
| Accessibility | Click buttons, type text, control apps |
| Screen Recording | See what's on screen for visual automation |
| Automation | Control other apps via Apple Events |
| Files | Read/write files you specify |
| Camera/Microphone | Optional scripts that capture media |
| Network | API calls, web browsing, MCP servers |
Key point: Agent! requests permissions on-demand when a feature is used, not all at once. Users can deny individual permissions and still use other features.
| Feature | Agent! | Malware |
|---|---|---|
| Open Source | ✅ Fully auditable | ❌ Hidden code |
| User Initiated | ✅ Every action requires user request | ❌ Background operation |
| Remote Control | ✅ None -- local app only | ❌ C2 server connection |
| Transparency | ✅ Shows all actions in UI | ❌ Hidden processes |
| Permissions | ✅ Requests on demand | ❌ Exploits vulnerabilities |
| Purpose | ✅ Productivity tool | ❌ Data theft, surveillance |
Agent! runs with your user permissions. On a shared Mac:
- Other users cannot access your Agent! instance
- Admin privileges are only requested when needed for specific tasks
- Each user has their own Agent! data and settings
Agent! is fully open source. You can:
- Read the code -- All source is on GitHub
- Build from source -- Clone the repo, open in Xcode, build yourself
- Audit the binary -- Compare compiled app against your build
- Run in sandbox -- Use a VM for testing
- Review permissions -- macOS shows what each app requests
The transparency is intentional. We want security researchers to audit the code and raise concerns -- it makes the project stronger.
XPC provides:
- Isolation -- Privileged operations are separated from the main app
- Auditability -- Each XPC call is a discrete transaction
- Permission boundaries -- Root operations don't grant root to the main app
- Apple's recommended pattern -- This is how macOS apps are supposed to do it
AgentScript allows users to extend functionality without rebuilding the app:
- Write Swift code with full access to macOS APIs
- Compile locally with user's Xcode toolchain
- Run in-process with same permissions as app
This is similar to how Python scripts extend apps like Blender or Sublime Text -- but with Swift and native macOS integration.
Yes. The helper tool (root access) is only installed when you explicitly approve it for operations that need root. Most Agent! features work without root:
- File operations in user directories
- App automation via Accessibility
- Web browsing and API calls
- Local LLM inference
You can remove the helper via Settings or by deleting the LaunchDaemon plist.
No. Agent! runs entirely on your Mac. We don't collect analytics, telemetry, or usage data.
API keys are stored in your macOS Keychain and never sent anywhere except to the respective API providers (OpenAI, Anthropic, etc.) when you make requests.
No. Agent! does not access your passwords, keychain items, or sensitive authentication data. The keychain access is for storing Agent!'s API keys, not reading yours.
- README.md -- Quick start and overview
- TECHNICAL.md -- Architecture and developer details
- SECURITY.md -- Security model and entitlements
- COMPARISON.md -- Comparisons with similar tools
Agent! -- Not just smart chat. Real action on your Mac.