blade-computer-use
Provides tools for controlling macOS, including listing applications, observing screen content, clicking, typing text, pressing keys, and scrolling, enabling agentic computer use.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@blade-computer-useObserve the frontmost window and list its UI elements."
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
blade-computer-use
blade-computer-use is a small, agent-neutral macOS computer-use implementation over the Model Context Protocol (MCP). It gives Codex, Claude Code, Orca, and other MCP clients the same six tools:
list_appsobserveclicktype_textpress_keyscroll
It is an independent security research project, not an OpenAI product and not a reproduction of OpenAI's private Computer Use implementation.
How it works
Coding agent
| stdio MCP: schemas, allowlist, one-shot revisions, PNG responses
v
TypeScript server (bundled as one runtime file)
| JSONL request/response protocol
v
Persistent Swift helper
| AXUIElement | ScreenCaptureKit | CGEvent
v v v
Accessibility tree window screenshot mouse/keyboard inputobserve returns a bounded AX tree, a window screenshot, and an opaque revision. That revision permits exactly one action. The next action consumes it, so an agent must observe again before doing anything else. element_index values are scoped to that observation and are never treated as stable cross-frame identities.
Related MCP server: macinput
Requirements
macOS 14 or newer
Node.js 20 or newer
Swift 5.10 or newer and the Xcode Command Line Tools (
xcode-select --install)Accessibility and Screen Recording permission for
BladeComputerUseHelperor the agent host macOS attributes it to
The first plugin launch compiles the native helper for the current Mac. The TypeScript MCP server is already committed as a standalone bundle, so runtime installation does not run npm install.
Codex
Install this repository as a Codex marketplace, then install the plugin:
codex plugin marketplace add echoVic/blade-computer-use
codex plugin add blade-computer-use@blade-computer-useRestart the Codex app after installation. The packaged configuration allows only TextEdit by default.
For a custom allowlist, clone the repository, change CUA_ALLOWED_APPS in .mcp.json, build once, and add the local checkout as the marketplace source:
git clone https://github.com/echoVic/blade-computer-use.git
cd blade-computer-use
npm install
npm run build
codex plugin marketplace add "$PWD"
codex plugin add blade-computer-use@blade-computer-useUse comma-separated bundle identifiers, for example:
"CUA_ALLOWED_APPS": "com.apple.TextEdit,com.apple.Notes"CUA_ALLOW_ALL_APPS=1 is available for local research, but the lock screen and SecurityAgent remain hard-denied.
Claude Code
Clone the repository, then load it as a local Claude Code plugin:
git clone https://github.com/echoVic/blade-computer-use.git
claude --plugin-dir /absolute/path/to/blade-computer-useClaude Code reads .claude-plugin/plugin.json and the shared root .mcp.json. ${CLAUDE_PLUGIN_ROOT} is resolved by the launcher, so the checkout can live anywhere.
Orca
Copy the Orca MCP example into Orca's configuration and replace the absolute command path. The example uses an underscore-safe server name, so Orca discovers the tools as mcp__blade_computer_use__<tool>.
Permissions
The first observe requests Accessibility and Screen Recording through the macOS system APIs. The user must approve both permissions; the plugin cannot toggle security settings on the user's behalf.
If macOS opens System Settings > Privacy & Security, grant:
Accessibility to
BladeComputerUseHelper, or to the terminal/Codex/Claude host shown by macOS.Screen Recording to the same executable shown by macOS.
Restart the plugin host after changing permissions, then retry observe. list_apps reports both accessibility_trusted and screen_recording_trusted; a denied request returns permission_denied with the missing permission names.
TextEdit smoke test
Open TextEdit and create a new plain-text document.
Ask the agent to call
list_appsand findcom.apple.TextEdit.Ask it to
observeTextEdit.Ask it to click the editor, type a short line, and verify the result.
The expected loop is observe -> one action -> observe. A stale or already-consumed revision must not be retried.
With an empty TextEdit document focused and both permissions granted, run the live integration check:
npm run test:manual:texteditThis opt-in test verifies AX observation, two PNG responses, Unicode input, one-shot revision rejection, and the final AX text. It is not part of CI because it requires an interactive macOS session and user-granted permissions.
Security and privacy
Apps require an explicit bundle-id allowlist; TextEdit is the only packaged default.
com.apple.loginwindow,com.apple.SecurityAgent, andcom.apple.SecurityAgentHelperare always denied.Secure AX fields reject
type_text.Coordinate actions verify that the observed window has not moved or resized.
Screenshots are written to a mode-
0700temporary directory, read into the MCP image response, and deleted immediately afterward.No telemetry is implemented. AX text and screenshots are returned to the connected agent, whose own model-request and retention behavior is outside this project.
See SECURITY.md for the trust boundary and reporting process.
Current limits
This is deliberately smaller than a production computer-use stack:
macOS-only; there is no Linux or Windows implementation.
No AX diff protocol or cross-observation element identity matching.
No lock-screen guardian, URL policy, or physical user-intervention detector.
No OCR, browser-specific DOM bridge, or action-specific confirmation UI.
No telemetry, account-policy integration, code signing, notarization, or prebuilt native binaries.
The AX tree is capped at 500 nodes, depth 12, and 160 characters per text field.
Development
npm install
npm test
npm run typecheck
npm run build
npm run validate:manifests
npm run smoke:mcpThe native checks use a framework-free self-test executable because a Command Line Tools-only Swift installation does not provide XCTest or the Swift Testing module:
npm run test:nativeThe self-test currently covers 22 protocol, AX serialization, input, coordinate, and permission-gate checks.
License
MIT
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/echoVic/blade-computer-use'
If you have feedback or need assistance with the MCP directory API, please join our Discord server