macOS-MCP is NOT sandboxed. Every tool call executes real actions directly on your macOS system with no intermediate layer, simulation, or preview mode. Understand the risks before deployment.
macOS-MCP operates with Accessibility API permissions, enabling:
- File system operations (create, read, modify, delete)
- Application launching and control
- Keyboard and mouse input simulation
- System preference modifications
- Shell command execution with user privileges
Many operations cannot be undone:
- File deletions are permanent
- Data overwrites cannot be recovered
- System modifications may persist
- No undo functionality available
Unlike traditional automation tools, macOS-MCP:
- Cannot preview actions before execution
- Does not simulate operations
- Executes immediately upon LLM decision
- Provides no confirmation dialogs
Do NOT deploy macOS-MCP on:
- Production servers or workstations - Real business systems
- Systems with irreplaceable data - Photos, documents, financial records
- Compliance-regulated environments - Healthcare (HIPAA), finance (PCI), government systems
- Shared multi-user systems - Systems accessed by multiple users
- Any machine you cannot afford to lose - Critical infrastructure
- Snapshots: Create snapshots before each session for rollback
- Isolation: Use separate VMs for testing and production
- Resources: Allocate minimal resources to limit blast radius
- Isolated environment built into Windows 10/11 Pro
- Automatic cleanup after use
- No persistent changes to host system
- Machines with no production data
- Isolated network segments
- Regular backups maintained
- Fresh OS installation or snapshots between tests
- Air-gapped systems
- No internet connectivity
- Limited access to sensitive resources
- Monitored and logged environments
These tools can perform permanent system modifications:
| Tool | Capabilities | Risks |
|---|---|---|
Shell |
Execute arbitrary commands | Full system access, irreversible changes |
Click |
Interact with UI elements | Can trigger destructive actions |
Type |
Input text to applications | May delete or overwrite data |
Drag |
Move/drag UI elements | Can relocate or delete items |
Shortcut |
Press keyboard shortcuts | Cmd+Q quits apps, Cmd+Delete deletes items |
These tools can modify state but with some reversibility:
| Tool | Capabilities | Risks |
|---|---|---|
App |
Launch/close applications | Can start unwanted processes |
Scroll |
Navigate UI content | May trigger unintended actions |
Move |
Move mouse cursor | Could trigger hover-based effects |
These tools only read information:
| Tool | Capabilities | Risks |
|---|---|---|
Snapshot |
Capture desktop state | No system modifications |
Wait |
Pause execution | No system impact |
Scrape |
Extract webpage content | Read-only operation |
- Use unprivileged user accounts for testing
- Avoid running with sudo/admin privileges
- Limit Accessibility permissions to necessary applications
- Log all operations performed
- Review AI-generated action plans before execution
- Monitor system changes in real-time
- Implement approval workflows for critical operations
- Full system backups before each session
- Incremental backups between major changes
- Test backup restoration procedures
- Keep backups isolated from production systems
- Deploy on isolated network segments
- Disable internet access if not needed
- Use firewall rules to restrict outbound connections
- Monitor network activity
- Always test workflows in VMs or sandboxes
- Start with non-critical operations
- Gradually increase complexity and scope
- Verify behavior matches expectations
- Restrict Accessibility permissions to trusted apps only
- Use separate user accounts for different purposes
- Implement approval processes for high-risk operations
- Audit access logs regularly
- Keep detailed logs of all operations
- Review AI decision-making processes
- Document lessons learned
- Build organizational knowledge
macOS-MCP requires Accessibility permissions to function. This is a system-level privilege that should be granted carefully.
- System Settings > Privacy & Security > Accessibility
- Click the lock icon and authenticate
- Only add trusted applications (Terminal, VS Code, etc.)
- Remove permissions for applications that no longer need them
- Regularly audit the permission list
To revoke Accessibility permissions:
- System Settings > Privacy & Security > Accessibility
- Click the lock icon
- Select the application and click the - button
- Permissions are revoked immediately
If you discover a security vulnerability in macOS-MCP:
- Do NOT disclose the vulnerability publicly
- Do NOT create a public GitHub issue
- Email security concerns to: [email protected]
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fixes (if any)
- Allow reasonable time for remediation before public disclosure
- Initial response: Within 48 hours
- Assessment: Within 1 week
- Fix development: As quickly as possible
- Release: Prioritized security updates
- Disclosure: After fix is released
macOS-MCP does not currently collect any telemetry data.
- No operation tracking
- No argument or output logging (except locally)
- No personal data collection
- No external reporting
macOS-MCP is NOT suitable for:
- HIPAA (healthcare data)
- PCI-DSS (payment card data)
- SOC 2 (audit-required systems)
- GDPR (sensitive personal data)
- FedRAMP (government systems)
Consider compliance implications before use.
Stay informed about security updates:
- Watch the GitHub repository
- Subscribe to release notifications
- Review changelog for security fixes
- Update promptly when patches are released
- See CLAUDE.md for architecture details
- See README.md for usage information
- See CONTRIBUTING.md for development guidelines
macOS-MCP is licensed under the MIT License. Security policy updates may occur independently of version releases.
Last Updated: April 2026
For questions about security, contact: [email protected]