Hands
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Handstake a screenshot of my desktop"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
🖐️ Hands
A macOS computer-use MCP server for autonomous AI agents.
Give an LLM eyes, a mouse, and a keyboard — with a real security model in between.
Quick Start • Tools • Security Model • Plugins • Docs
Most "computer use" demos give a model raw pixel coordinates and hope for the best. Hands is built differently: every action goes through a typed 7-phase dispatch pipeline — validate → rate-limit → authorize → lock → execute-with-retry → observe → audit — so that giving an agent control of your desktop doesn't mean giving up any of your say in what it's allowed to do.
import anyio
from hands import Container, HandsConfig
config = HandsConfig()
config.driver = "fake" # no macOS needed — great for a first look
container = Container.build(config)
async def main():
shot = await container.dispatcher.dispatch("screenshot", {})
print(shot["ok"], shot["bounds_pt"])
anyio.run(main)Why Hands
A real policy engine, not a rubber stamp. Rule-based profiles (
strict/default/trusted), an app deny-list (Passwords, 1Password, System Settings — blocked out of the box), secret-pattern detection on typed text, per-tool confirmation, and a sliding-window rate limiter. See Security Model.Tamper-evident audit log. Every action is appended to a SHA-256 hash-chained JSONL log; deleting or editing any line downstream breaks the chain, and
hands audit verifyproves it.Redaction by construction. Clipboard content and typed text never enter application state, logs, audit records, or metrics — only their length and a SHA-256 hash ever do.
A fake driver, not just mocks.
FakeDriveris a full in-memory virtual desktop (windows, apps, clipboard, AX tree, OCR boxes) that every tool runs against identically to the real macOS driver. The entire test suite — 215 tests — runs on Linux CI with zero macOS hardware, and it's the fastest way to try Hands out or build a plugin without touching your real screen.Perception, not just action. OCR-grounded text search (
find_text), an accessibility-tree fallback (get_ui_tree), and averify/waitcondition language so an agent can confirm an action worked instead of flying blind.A kill switch that actually works.
touch ~/.hands/KILLhalts the server immediately — checked before every single dispatch, including mid-way through a batchedexecute_sequence.Extensible without forking. Third-party plugins register tools through the exact same
ToolSpecmachinery as the 22 built-ins, loaded via Python entry points; a plugin that raises during setup is logged and skipped, not a server crash. (Plugins run in-process with access to the same services — this is crash isolation, not a security sandbox; don't load untrusted plugin code any more than you would an untrusted import.)
Related MCP server: macinput
Requirements
macOS 13+ (Ventura or later) for real desktop control
Python 3.12+
Screen Recording and Accessibility permissions (System Settings → Privacy & Security) —
hands permissionstells you exactly what's missing
You can install and explore the library on any OS using the fake driver
(HANDS_DRIVER=fake) — only real desktop control requires macOS.
Installation
pip install hands-mcpWith the macOS driver and Vision OCR (needed for real desktop control):
pip install "hands-mcp[macos]"The import name is still hands regardless of the install name above:
import hands
print(hands.__version__)For development:
git clone https://github.com/yuvitbatra/hands-mcp.git
cd hands-mcp
uv sync --group dev
uv run pytest -qQuick Start
As an MCP server (for AI agents)
Add to your MCP client configuration (e.g. Claude Desktop's
claude_desktop_config.json):
{
"mcpServers": {
"hands": {
"command": "hands",
"args": ["serve"]
}
}
}Or run it directly over stdio:
hands serveAs a Python library
import anyio
from hands import Container, HandsConfig
# The fake driver is a full in-memory virtual desktop — no macOS needed.
config = HandsConfig()
config.driver = "fake"
container = Container.build(config)
async def main():
res = await container.dispatcher.dispatch("screenshot", {})
print(res["ok"]) # True
anyio.run(main)# Or run the full MCP server over stdio from your own process:
import anyio
from hands import run_server, load_config
anyio.run(run_server, load_config())Diagnostics
hands doctor # resolved config, driver, displays, registered tools
hands doctor --metrics # ...plus a metrics snapshot (counters + latency histograms)
hands permissions # TCC grant status (Screen Recording, Accessibility) + fix links
hands audit verify # verify the audit log's hash chain end to endTools (22)
Full argument/return reference: docs/TOOLS.md.
Tool | Policy | Description |
| read | Capture the screen (or a region); cached by default |
| read | Session state: cursor, displays, action history, dirty flag |
| read | OCR search returning bounding boxes for matching text |
| read | Accessibility tree for an app (roles, labels, frames) |
| read | Poll until a condition is met: text present, window state, duration |
| read | Check an expected outcome after acting; returns evidence |
| act | Move the cursor |
| act | Click at a point (single, double, or triple) |
| act | Click-drag along a path |
| act | Scroll at a point |
| act | Type text into the focused element (refused during secure input) |
| act | Press a key or chord (e.g. |
| sensitive | Read the current clipboard (text or image) |
| act | Set the clipboard to text or a PNG image |
| act | Paste via clipboard + Cmd+V, restoring the clipboard after |
| read | List windows, optionally filtered by app |
| act | Bring a window to front (stale refs re-resolve by fuzzy title) |
| act → sensitive on | Move, resize, minimize, maximize, or close a window |
| act | Launch an app by bundle ID or name, waiting for its window |
| act → sensitive on | Quit an app gracefully, or force-terminate |
| read | List running apps and the frontmost one |
| act | Batch up to 20 pre-decided acting steps in one round trip, gated by guard conditions |
Security Model
An agent that can move your mouse and type on your behalf is a genuinely different risk profile from a chatbot, so the policy layer isn't an afterthought — it's a fixed phase of every dispatch, before the tool ever runs:
validate args → rate limit → authorize (PermissionEngine) → acquire action lock
→ execute with retry → record state/screen-dirty → audit + metricsProfiles (HANDS_SECURITY__PROFILE, default default):
Profile |
|
|
| requires confirmation | requires confirmation |
| allowed | requires confirmation |
| allowed | allowed |
Evaluation order for every action: (1) is the frontmost app on the
deny-list? → denied outright, even under trusted. (2) does a configured
rule match? → first match wins. (3) does typed/pasted text match a
secret_patterns regex? → confirmation required regardless of profile. (4)
fall through to the profile's class default above.
App deny-list (HANDS_SECURITY__DENY_APPS, on by default): blocks
acting tools — reads still work — against com.apple.systempreferences*,
com.apple.Passwords*, com.apple.keychainaccess, 1Password (both bundle
id families). This applies uniformly whether the tool is called directly or
from inside execute_sequence.
Rate limiting (HANDS_SECURITY__MAX_ACTIONS_PER_S, default 10.0): a
1-second sliding window over acting tools; bursts past the limit are denied,
not queued.
Secure input refusal: keyboard_type and clipboard_get are refused
outright while macOS reports secure text entry active (a password field has
focus) — independent of profile.
Confirmation hooks: under dialog mode (default, macOS only) a
denied-by-default sensitive action pops a real confirmation dialog via
osascript; under deny mode (or off-macOS) it's auto-denied. Plug in your
own hook by subclassing the PermissionEngine's confirm callback if you need
a different UX (e.g. routing through your agent framework's own approval
flow).
Redaction invariant: clipboard content and typed text are used only
in-memory for policy matching (e.g. secret-pattern checks) — they never
reach state, the audit log, or metrics in raw form. Only length and a
SHA-256 hash ever leave those boundaries.
Kill switch: touch ~/.hands/KILL halts the server immediately —
checked at the top of every dispatch, including mid-sequence inside
execute_sequence. Remove the file to resume.
Audit log: every action is appended to ~/.hands/audit.jsonl as
{"event", "prev_hash", "hash"}, where hash = sha256(prev_hash + canonical_json(event)). Tampering with or deleting any line downstream
breaks the chain — verify with hands audit verify.
Configuration
All settings can be overridden via HANDS_* environment variables (nested
fields use __, e.g. HANDS_SECURITY__PROFILE). Full schema:
src/hands/config.py.
Variable | Default | Description |
|
|
|
|
|
|
| see above | JSON list of bundle-id globs blocked for acting tools |
|
| JSON list of regexes that force confirmation on typed/pasted text |
|
| Sliding-window rate limit for acting tools |
|
|
|
| (all allowed) | JSON list of allowed plugin entry-point names |
|
| Max screenshot dimension |
|
| JPEG quality (0–100) |
|
| Delay between mouse down and up |
|
| Characters per typing chunk |
|
| Depth-first-traversal node cap for |
Plugin System
Hands supports external plugins that register custom tools through the exact
same ToolSpec machinery as the built-ins — no side door around the
dispatcher, so plugin tools get the same policy, retry, and audit treatment.
from hands.plugins.api import HandsPlugin, PluginContext
class MyPlugin:
name = "my-plugin"
version = "1.0.0"
def setup(self, ctx: PluginContext) -> None:
from pydantic import BaseModel
from hands.registry import ToolSpec
from hands.retry import RetryPolicy
class Args(BaseModel, extra="forbid"):
query: str
async def my_tool(args: Args, ctx_) -> dict:
return {"result": f"searched for {args.query}"}
ctx.registry.register(ToolSpec(
"my_search", "Custom search tool",
Args, my_tool, "read", RetryPolicy.read(), idempotent=True))
def teardown(self) -> None:
passRegister it via the hands.plugins entry-point group in your own package's
pyproject.toml:
[project.entry-points."hands.plugins"]
my-plugin = "my_package.plugin:MyPlugin"Plugins load at server startup. A plugin that raises in setup is logged
and skipped — it never takes the server down. Restrict which plugins may
load with an allowlist:
HANDS_SECURITY__PLUGIN_ALLOWLIST='["my-plugin"]' hands serveSee docs/plugins.md for the full plugin author's guide,
and src/hands/plugins/api.py for the stable
import surface (semver-guarded — additive-only within a major version).
Testing
uv run pytest -q # 215 tests, any OS, ~2s
HANDS_CONTRACT_MACOS=1 uv run pytest tests/contract -q # real macOS driver (needs TCC grants)
HANDS_E2E_MACOS=1 uv run pytest tests/e2e -q # full stack vs. a real Tk fixture app
uv run pytest tests/perf -m perf --benchmark-only -q # latency budgets
uv run pytest tests/stress -m stress -q # 10k-action soak + concurrencyThe contract/e2e suites are opt-in because they genuinely move your mouse
and open/close real apps — don't run them unattended. See
CONTRIBUTING.md for the full development workflow.
Architecture
types, errors, config, retry
↓
driver/base (Protocol) ← fake.py (tests/CI) + macos.py (real hardware)
↓
services/ (screenshot, ocr, mouse, keyboard, clipboard, windows, apps,
waiter, verification)
↓
state, permissions (PermissionEngine), audit (hash-chained), metrics, registry
↓
dispatcher (7-phase pipeline: validate → rate-limit → authorize → lock →
execute-with-retry → observe → audit)
↓
tools/ (22 MCP tools)
↓
container → server (MCP stdio transport) → cliFull design rationale: docs/DESIGN.md.
Contributing
Contributions welcome — see CONTRIBUTING.md for the
development setup, test-driven workflow, and what a good PR looks like.
License
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/yuvitbatra/hands-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server