Security · May 20, 2026 · Last updated 2026-05-21 · 16 min read
Don't Let Claude Use Your Actual Computer
Questions this page answers
- Should I let Claude use my personal computer?
- How do I isolate a computer-use agent safely?
- What permissions should a computer-use agent get on macOS?
- When is a dedicated remote Mac safer than a personal laptop?
Safety answer
Quick Answer: Give Claude A Computer, Not Your Computer
The Reddit title works because the risk is obvious once you say it plainly. A computer-use agent should operate in a dedicated environment with scoped accounts, test data, narrow permissions, logs, backups, and a recovery path. Your personal Mac has the wrong defaults: real messages, real browser profiles, real password managers, real files, and real distractions.
- Do not grant broad desktop access to an agent on your daily laptop.
- Use a dedicated Mac account, browser profile, and workspace for agent runs.
- Keep sensitive apps closed unless a human is present and the task requires them.
- Prefer read-only or staging accounts for websites and internal tools.
- Log prompts, approvals, screenshots, commands, and files changed.
- Keep a kill switch: stop the app, revoke permissions, rotate credentials, or restore from a snapshot.
The right mental model
The Threat Model For Computer-Use Agents
The agent does not need malicious intent to cause damage. Most incidents come from ambiguity, prompt injection, wrong-account actions, browser state leakage, overbroad permissions, or a tool loop that keeps trying after the task should have stopped.
| Risk | Example | Control |
|---|---|---|
| Wrong account | The agent clicks in your personal Gmail, Stripe, GitHub, or iCloud session. | Use a separate browser profile and staged accounts with least privilege. |
| Prompt injection | A website tells the agent to ignore instructions or exfiltrate data. | Treat webpage content as untrusted and forbid copying secrets into pages. |
| Destructive UI action | The agent deletes, submits, purchases, or changes permissions. | Require human approval before irreversible actions. |
| Secret exposure | The agent opens a password manager, API key file, or private note. | Keep secrets out of the desktop profile and use task-scoped credentials. |
| Runaway loop | The agent keeps clicking through a broken flow or retrying commands. | Use timeboxes, retry limits, heartbeats, and a manual stop path. |
A Safer Isolation Architecture
The goal is not to make the agent useless. The goal is to make the useful workspace explicit. A strong setup looks like a real Mac, but with a narrower blast radius.
- Create a dedicated macOS user for agent work.
- Use a dedicated browser profile with only the test or staging accounts required for the task.
- Keep password managers, Messages, Mail, photos, personal cloud drives, and financial apps out of that account.
- Clone only the repos the agent needs and keep production data out of fixtures.
- Grant Screen Recording and Accessibility only to the agent surface that needs them.
- Start each high-risk task from a clean branch and save the final diff before merge.
- Log every approval and stop before payments, account permission changes, production deletes, or security prompts.
Agent desktop policy:
- Allowed apps: Terminal, browser test profile, editor, simulator, local app under test
- Blocked apps: password manager, personal mail, personal messages, system settings, production admin consoles
- Requires human approval: purchases, deletes, permission changes, production writes, credential access
- Stop after: 45 minutes, 2 failed retries, or any request to handle secretsPersonal Laptop Vs Dedicated Mac Vs Disposable Sandbox
| Host | Use it for | Do not use it for |
|---|---|---|
| Personal laptop | Short supervised demos where you are watching every step. | Autonomous browsing, account work, background tasks, or sensitive desktop state. |
| Disposable sandbox | Clean command-line tests, isolated code execution, and untrusted experiments. | Work that needs persistent browser state, macOS apps, Xcode, Messages, Mail, or long-lived GUI context. |
| Dedicated remote Mac | Computer-use workflows that need real macOS state, GUI apps, SSH, VNC, logs, and recovery. | Untrusted code without sandboxing, production admin work without human approval, or secrets-heavy tasks. |
The dedicated remote Mac is the middle path. It gives the agent a stable desktop without letting the agent inherit your personal laptop identity.
The Permission Checklist
- Grant Screen Recording only after you know which desktop the agent will inspect.
- Grant Accessibility only to the agent app or automation bridge that needs to click and type.
- Approve one target app or one browser profile at a time.
- Do not allow the agent to approve its own macOS privacy prompts.
- Do not ask the agent to operate the terminal app that controls the agent itself.
- Do not leave production dashboards, account settings, or billing pages open during unrelated work.
- Remove broad always-allow settings after the task if the workflow is still experimental.
A useful first prompt
Logs, Recovery, And The Kill Switch
Safety improves when you can reconstruct what happened. Keep the agent's transcript, screenshots that drove actions, app approvals, command history, modified files, and final branch diff together.
| Event | Log it | Recovery action |
|---|---|---|
| Agent opens an unexpected app | App name, visible state, and prompt that preceded it. | Stop run, revoke approval, and inspect whether files or accounts changed. |
| Agent reaches a sensitive page | URL or app area, account, and requested next action. | Stop before action, close page, and downgrade account permissions. |
| Agent changes files | Git diff, test output, and explanation. | Review diff, revert only the agent branch if needed, preserve unrelated user work. |
| Agent loops or retries | Retry count, error message, and command history. | Kill process, save logs, and rewrite the task with a smaller scope. |
Where Hyperbox Fits
Hyperbox gives computer-use agents a dedicated macOS workstation that stays online, separate from your personal laptop. You can keep the agent's browser profile, repos, desktop permissions, and logs in one controlled place, then connect over SSH or VNC when a human needs to intervene.
- Use Hyperbox as the agent workbench, not as your personal computer.
- Keep a dedicated account and browser profile for agent work.
- Preserve GUI state and logs after your laptop closes.
- Recover through VNC, SSH, branch diffs, and task logs.
- Separate long-running automation from personal apps and accounts.
Frequently asked questions
Should Claude use my personal laptop for Computer Use?
Use a personal laptop only for short supervised demos. For real work, give the agent a dedicated account, browser profile, scoped credentials, logs, approvals, and recovery path on an isolated machine.
What is the safest host for a computer-use agent?
A safe host is dedicated, scoped, observable, recoverable, and separated from personal apps and accounts. It should support Screen Recording, Accessibility, SSH or VNC, logs, and least-privilege accounts.
What actions should always require human approval?
Payments, production writes, account permission changes, deletes, password or API key access, security settings, and anything irreversible should require a human before the agent acts.
Related reading
Always-on Mac runtime
Give your agent a Mac that stays online after your laptop closes.
Hyperbox gives Codex, Claude Code, OpenClaw, and remote dev workflows a persistent macOS machine with SSH, VNC, and full desktop access.